Windows Analysis Report
SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe

Overview

General Information

Sample name: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Analysis ID: 1520511
MD5: ba28e223163c5b2ec9a8b3749dd8df88
SHA1: 432148c92b5c723033225b14986a4dd80c1344ff
SHA256: 3e77bc5c8cd2052b5b8c14abce4ee3a2bc5d7568860d93524927734732dcaa25
Tags: exeRemcosRATSCRuser-cocaman
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Avira: detection malicious, Label: HEUR/AGEN.1308548
Found malware configuration
Source: 00000009.00000002.2563586845.0000000000E87000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "59b3.ddns.net:2404:1", "Assigned name": "59b3ch7k27", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-LEWDB1", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe ReversingLabs: Detection: 26%
Yara detected Remcos RAT
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2563586845.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2260304451.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4593577729.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2481975782.0000000001337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2260304451.000000000400F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2500101220.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2578509114.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe PID: 4388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 4052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 2328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5356, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 8_2_004338C8
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2260304451.0000000003F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_1651c7c4-9

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2260304451.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2260304451.000000000400F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2500101220.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2578509114.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe PID: 4388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 4052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 2328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00407538 _wcslen,CoGetObject, 8_2_00407538
Uses 32bit PE files
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262285652.00000000063E1000.00000004.00000800.00020000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262993639.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262285652.0000000006459000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2502232122.00000000062CE000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2483569013.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2582256306.0000000006181000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2582256306.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262285652.00000000063E1000.00000004.00000800.00020000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262993639.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262285652.0000000006459000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2502232122.00000000062CE000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2483569013.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2582256306.0000000006181000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2582256306.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_0040928E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 8_2_0041C322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 8_2_0040C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_004096A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 8_2_00408847
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00407877 FindFirstFileW,FindNextFileW, 8_2_00407877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0044E8F9 FindFirstFileExA, 8_2_0044E8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 8_2_0040BB6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, 8_2_00419B86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 8_2_0040BD72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 8_2_00407CD2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 4x nop then jmp 02D72AFEh 0_2_02D72A1D
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 4x nop then jmp 02D72AFEh 0_2_02D72913
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 4x nop then jmp 02D72AFEh 0_2_02D72920
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_02D707D1
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_02D707D8
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 4x nop then jmp 02D9C468h 0_2_02D9C3B0
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 4x nop then jmp 02D9C468h 0_2_02D9C3A8
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 4x nop then jmp 02D95D13h 0_2_02D95C90
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0604D538
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 029C2AFEh 5_2_029C2A1D
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 029C2AFEh 5_2_029C2913
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 029C2AFEh 5_2_029C2920
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 5_2_029C07D8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 5_2_029C07D1
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 029EC468h 5_2_029EC3B0
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 029EC468h 5_2_029EC3A8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 029E5D13h 5_2_029E5C90
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 029E5D13h 5_2_029E5C81
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 5_2_05DAD538
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 6_2_04B007D1
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 6_2_04B007D8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 04B02AFEh 6_2_04B02920
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 04B02AFEh 6_2_04B02912
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 04B02AFEh 6_2_04B02A1D
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 04B25D13h 6_2_04B25C90
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 04B25D13h 6_2_04B25C81
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 04B2C468h 6_2_04B2C3B0
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then jmp 04B2C468h 6_2_04B2C3A8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 6_2_05D9D538

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 45.66.231.90:80 -> 192.168.2.6:49710
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 45.66.231.90:80 -> 192.168.2.6:49710
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49713 -> 147.124.212.210:2404
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 45.66.231.90:80 -> 192.168.2.6:49720
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 45.66.231.90:80 -> 192.168.2.6:49720
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 45.66.231.90:80 -> 192.168.2.6:49722
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 45.66.231.90:80 -> 192.168.2.6:49722
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 59b3.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: 59b3.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49713 -> 147.124.212.210:2404
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /59b3/Ehzegagmq.vdf HTTP/1.1Host: 45.66.231.90Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /59b3/Ehzegagmq.vdf HTTP/1.1Host: 45.66.231.90Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /59b3/Ehzegagmq.vdf HTTP/1.1Host: 45.66.231.90Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
Source: Joe Sandbox View ASN Name: AC-AS-1US AC-AS-1US
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49714 -> 178.237.33.50:80
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.66.231.90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 8_2_0041B411
Source: global traffic HTTP traffic detected: GET /59b3/Ehzegagmq.vdf HTTP/1.1Host: 45.66.231.90Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /59b3/Ehzegagmq.vdf HTTP/1.1Host: 45.66.231.90Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /59b3/Ehzegagmq.vdf HTTP/1.1Host: 45.66.231.90Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: 59b3.ddns.net
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2483569013.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.66.231.90
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2483569013.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.66.231.90/59b3/Ehzegagmq.vdf
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, Ozpagjqxzt.exe.0.dr String found in binary or memory: http://45.66.231.90/59b3/Ehzegagmq.vdf%Buffer
Source: InstallUtil.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2260304451.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2260304451.000000000400F000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2500101220.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2578509114.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: InstallUtil.exe, 00000002.00000002.4593577729.0000000000B88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: InstallUtil.exe, 00000002.00000002.4593835200.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpY?
Source: InstallUtil.exe, 00000002.00000002.4593835200.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpal
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2483569013.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2502232122.0000000006325000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2582256306.0000000006315000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2483569013.0000000002B2E000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,00000000 8_2_0040A2F3
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard, 8_2_0040B749
Contains functionality to modify clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_004168FC
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard, 8_2_0040B749
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 8_2_0040A41B
Yara detected Keylogger Generic
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2260304451.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2260304451.000000000400F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2500101220.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2578509114.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe PID: 4388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 4052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 2328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2563586845.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2260304451.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4593577729.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2481975782.0000000001337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2260304451.000000000400F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2500101220.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2578509114.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe PID: 4388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 4052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 2328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5356, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041CA73 SystemParametersInfoW, 8_2_0041CA73

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2260304451.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2260304451.000000000400F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.2500101220.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.2578509114.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe PID: 4388, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Ozpagjqxzt.exe PID: 4052, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Ozpagjqxzt.exe PID: 2328, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D9EE20 NtResumeThread, 0_2_02D9EE20
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D9D928 NtProtectVirtualMemory, 0_2_02D9D928
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D9EE18 NtResumeThread, 0_2_02D9EE18
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D9D920 NtProtectVirtualMemory, 0_2_02D9D920
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029EEE20 NtResumeThread, 5_2_029EEE20
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029ED928 NtProtectVirtualMemory, 5_2_029ED928
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029EEE18 NtResumeThread, 5_2_029EEE18
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029ED920 NtProtectVirtualMemory, 5_2_029ED920
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B2D928 NtProtectVirtualMemory, 6_2_04B2D928
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B2EE20 NtResumeThread, 6_2_04B2EE20
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B2D920 NtProtectVirtualMemory, 6_2_04B2D920
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B2EE18 NtResumeThread, 6_2_04B2EE18
Contains functionality to shutdown / reboot the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress, 8_2_004167EF
Detected potential crypto function
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_012BA450 0_2_012BA450
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_012B6548 0_2_012B6548
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_012B6558 0_2_012B6558
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_012B6BA0 0_2_012B6BA0
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_012B6B90 0_2_012B6B90
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D42140 0_2_02D42140
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D45730 0_2_02D45730
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D43348 0_2_02D43348
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D42467 0_2_02D42467
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D78398 0_2_02D78398
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D7A170 0_2_02D7A170
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D71C80 0_2_02D71C80
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D7ACA0 0_2_02D7ACA0
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D72A1D 0_2_02D72A1D
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D7838B 0_2_02D7838B
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D7E810 0_2_02D7E810
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D7E800 0_2_02D7E800
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D7A161 0_2_02D7A161
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D72913 0_2_02D72913
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D72920 0_2_02D72920
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D7AC93 0_2_02D7AC93
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D71C73 0_2_02D71C73
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D9AAF8 0_2_02D9AAF8
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D98A90 0_2_02D98A90
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D9D688 0_2_02D9D688
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D9B788 0_2_02D9B788
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D9AAF6 0_2_02D9AAF6
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D98A8C 0_2_02D98A8C
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D9D678 0_2_02D9D678
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D99FC8 0_2_02D99FC8
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D99FB8 0_2_02D99FB8
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D9B778 0_2_02D9B778
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05DF0048 0_2_05DF0048
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05E9F008 0_2_05E9F008
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05E96A18 0_2_05E96A18
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05E954A8 0_2_05E954A8
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05E95460 0_2_05E95460
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05E96FC5 0_2_05E96FC5
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05E96FB0 0_2_05E96FB0
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05E90040 0_2_05E90040
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05E9001F 0_2_05E9001F
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05E96A0B 0_2_05E96A0B
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_0604EA70 0_2_0604EA70
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_06040040 0_2_06040040
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_062BDD98 0_2_062BDD98
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_062BF378 0_2_062BF378
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_062A001F 0_2_062A001F
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_062A0040 0_2_062A0040
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_062BD100 0_2_062BD100
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05DF0002 0_2_05DF0002
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_0293A450 5_2_0293A450
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_02936558 5_2_02936558
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_02936548 5_2_02936548
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_02936B90 5_2_02936B90
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_02936BA0 5_2_02936BA0
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_02992140 5_2_02992140
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_02995730 5_2_02995730
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_02993348 5_2_02993348
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_02992467 5_2_02992467
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029C92D8 5_2_029C92D8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029C9E08 5_2_029C9E08
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029C1C80 5_2_029C1C80
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029C92C8 5_2_029C92C8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029C2A1D 5_2_029C2A1D
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029C2913 5_2_029C2913
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029C2920 5_2_029C2920
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029CD978 5_2_029CD978
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029CD968 5_2_029CD968
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029C1C73 5_2_029C1C73
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029C9DF8 5_2_029C9DF8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029E8A90 5_2_029E8A90
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029ED688 5_2_029ED688
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029EAAF8 5_2_029EAAF8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029EB788 5_2_029EB788
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029E8A8C 5_2_029E8A8C
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029EAAF7 5_2_029EAAF7
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029ED678 5_2_029ED678
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029E9FB8 5_2_029E9FB8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029E9FC8 5_2_029E9FC8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_029EB778 5_2_029EB778
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05BFF008 5_2_05BFF008
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05BF6A18 5_2_05BF6A18
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05BF54A8 5_2_05BF54A8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05BF5460 5_2_05BF5460
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05BF6FB0 5_2_05BF6FB0
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05BF0006 5_2_05BF0006
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05BF0040 5_2_05BF0040
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05BF6A0A 5_2_05BF6A0A
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05DAEA70 5_2_05DAEA70
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05DA0040 5_2_05DA0040
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05DA0007 5_2_05DA0007
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_0601DD98 5_2_0601DD98
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_0601F378 5_2_0601F378
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_06000007 5_2_06000007
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_06000040 5_2_06000040
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_0601D100 5_2_0601D100
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_02A3A450 6_2_02A3A450
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_02A36548 6_2_02A36548
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_02A36558 6_2_02A36558
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_02A36BA0 6_2_02A36BA0
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_02A36B90 6_2_02A36B90
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04AD5730 6_2_04AD5730
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04AD2140 6_2_04AD2140
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04AD2467 6_2_04AD2467
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04AD3348 6_2_04AD3348
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B01C80 6_2_04B01C80
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B09E08 6_2_04B09E08
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B092D8 6_2_04B092D8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B01C72 6_2_04B01C72
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B09DF8 6_2_04B09DF8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B02920 6_2_04B02920
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B02912 6_2_04B02912
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B0D978 6_2_04B0D978
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B0D968 6_2_04B0D968
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B092C8 6_2_04B092C8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B02A1D 6_2_04B02A1D
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B28A90 6_2_04B28A90
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B2D688 6_2_04B2D688
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B2AAF8 6_2_04B2AAF8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B2B788 6_2_04B2B788
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B2D684 6_2_04B2D684
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B28A8C 6_2_04B28A8C
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B2AAF7 6_2_04B2AAF7
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B29FC7 6_2_04B29FC7
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B29FC8 6_2_04B29FC8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_04B2B778 6_2_04B2B778
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05BEF008 6_2_05BEF008
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05BE6A18 6_2_05BE6A18
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05BE54A8 6_2_05BE54A8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05BE0006 6_2_05BE0006
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05BE5460 6_2_05BE5460
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05BE0040 6_2_05BE0040
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05BE6A0A 6_2_05BE6A0A
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05D9EA70 6_2_05D9EA70
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05D90040 6_2_05D90040
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_0600DD98 6_2_0600DD98
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_0600F378 6_2_0600F378
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05FF0040 6_2_05FF0040
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_0600D100 6_2_0600D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0043706A 8_2_0043706A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00414005 8_2_00414005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0043E11C 8_2_0043E11C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004541D9 8_2_004541D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004381E8 8_2_004381E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041F18B 8_2_0041F18B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00446270 8_2_00446270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0043E34B 8_2_0043E34B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004533AB 8_2_004533AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0042742E 8_2_0042742E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00437566 8_2_00437566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0043E5A8 8_2_0043E5A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004387F0 8_2_004387F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0043797E 8_2_0043797E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004339D7 8_2_004339D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0044DA49 8_2_0044DA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00427AD7 8_2_00427AD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041DBF3 8_2_0041DBF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00427C40 8_2_00427C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00437DB3 8_2_00437DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00435EEB 8_2_00435EEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0043DEED 8_2_0043DEED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00426E9F 8_2_00426E9F
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 00402093 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 00401E65 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 00434E70 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 00434801 appears 41 times
Sample file is different than original file name gathered from version info
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.000000000326D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261081371.0000000005C80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameIdgqffqhzm.dll" vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262134785.000000000630E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.exe vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262285652.00000000063E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262993639.00000000073E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255067820.000000000109E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.00000000032C9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.exe vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000000.2114382921.0000000000A74000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.exe vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262285652.0000000006459000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Binary or memory string: OriginalFilenameSERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.exe vs SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe
Uses 32bit PE files
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2260304451.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2260304451.000000000400F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.2500101220.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.2578509114.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe PID: 4388, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Ozpagjqxzt.exe PID: 4052, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Ozpagjqxzt.exe PID: 2328, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6409038.7.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6409038.7.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6409038.7.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6409038.7.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6409038.7.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6409038.7.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@9/3@2/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 8_2_0041798D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 8_2_0040F4AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource, 8_2_0041B539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 8_2_0041AADB
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe File created: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-LEWDB1
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe File read: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe "C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe"
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe "C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe "C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe"
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262285652.00000000063E1000.00000004.00000800.00020000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262993639.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262285652.0000000006459000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2502232122.00000000062CE000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2483569013.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2582256306.0000000006181000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2582256306.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262285652.00000000063E1000.00000004.00000800.00020000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262993639.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2262285652.0000000006459000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2502232122.00000000062CE000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2483569013.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2582256306.0000000006181000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2582256306.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2261592867.0000000005E30000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, Bvyzcue.cs .Net Code: Jrnpo
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, Ilugpy.cs .Net Code: LoadAssembly System.Reflection.Assembly.Load(byte[])
Source: Ozpagjqxzt.exe.0.dr, Bvyzcue.cs .Net Code: Jrnpo
Source: Ozpagjqxzt.exe.0.dr, Ilugpy.cs .Net Code: LoadAssembly System.Reflection.Assembly.Load(byte[])
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.32b7b5c.1.raw.unpack, Bvyzcue.cs .Net Code: Jrnpo
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.32b7b5c.1.raw.unpack, Ilugpy.cs .Net Code: LoadAssembly System.Reflection.Assembly.Load(byte[])
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.5e30000.4.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.5e30000.4.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.5e30000.4.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.5e30000.4.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.5e30000.4.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6520630.6.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.73e0000.8.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6409038.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6409038.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.6409038.7.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.5f10000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2261751920.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2483569013.0000000002B2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2255577609.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2565784949.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe PID: 4388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 4052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 2328, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 8_2_0041CBE1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_02D7C82C push edx; ret 0_2_02D7C82D
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05DF2EA7 push esp; retf 0_2_05DF2EA8
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05E9AD6B push esp; ret 0_2_05E9AD72
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_06043230 pushfd ; iretd 0_2_06043236
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_0604326F pushad ; iretd 0_2_06043272
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05B52EA7 push esp; retf 5_2_05B52EA8
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05BFAD6B push esp; ret 5_2_05BFAD72
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05DA326F pushad ; iretd 5_2_05DA3272
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 5_2_05DA3230 pushfd ; iretd 5_2_05DA3236
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05BEAD6B push esp; ret 6_2_05BEAD72
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05D9326F pushad ; iretd 6_2_05D93272
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Code function: 6_2_05D93230 pushfd ; iretd 6_2_05D93236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00457186 push ecx; ret 8_2_00457199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0045E55D push esi; ret 8_2_0045E566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00457AA8 push eax; ret 8_2_00457AC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00434EB6 push ecx; ret 8_2_00434EC9
Source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.5c80000.3.raw.unpack, rWFb2hEB3NXqa5sMRTp.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'vCPExSvxI0', 'NtProtectVirtualMemory', 'PPBhgLTwA0IILE1QgpE', 'V33UslThDApmbalbn4Y', 'zZkT5jTRISYcaQl3PhP', 'ChueiFTnia1N34y6Sb4'
Contains functionality to download and launch executables
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00406EEB ShellExecuteW,URLDownloadToFileW, 8_2_00406EEB
Creates processes with suspicious names
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe File created: \service or product desription and company profile.scr.exe
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe File created: \service or product desription and company profile.scr.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe File created: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 8_2_0041AADB
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ozpagjqxzt Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ozpagjqxzt Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (132).png
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 8_2_0041CBE1
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe PID: 4388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 4052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 2328, type: MEMORYSTR
Delayed program exit found
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040F7E2 Sleep,ExitProcess, 8_2_0040F7E2
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255577609.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000005.00000002.2483569013.0000000002B2E000.00000004.00000800.00020000.00000000.sdmp, Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory allocated: 12B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory allocated: 2EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory allocated: 2D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory allocated: 63E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory allocated: 6050000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: 28F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: 2B00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: 2950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: 6140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: 5DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: 1140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: 2A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: 4A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: 6130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: 5DA0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05DF0048 rdtsc 0_2_05DF0048
Contains functionality to enumerate running services
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 8_2_0041A7D9
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 3197 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 6796 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe API coverage: 6.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5140 Thread sleep count: 3197 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5140 Thread sleep time: -9591000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5140 Thread sleep count: 6796 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5140 Thread sleep time: -20388000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_0040928E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 8_2_0041C322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 8_2_0040C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_004096A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 8_2_00408847
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00407877 FindFirstFileW,FindNextFileW, 8_2_00407877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0044E8F9 FindFirstFileExA, 8_2_0044E8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 8_2_0040BB6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, 8_2_00419B86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 8_2_0040BD72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 8_2_00407CD2
Source: Ozpagjqxzt.exe, 00000005.00000002.2481578450.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe, 00000000.00000002.2255067820.00000000010D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000002.00000002.4594242566.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4593577729.0000000000B88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Ozpagjqxzt.exe, 00000006.00000002.2565784949.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: Ozpagjqxzt.exe, 00000006.00000002.2563369659.0000000000E87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Code function: 0_2_05DF0048 rdtsc 0_2_05DF0048
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00434A8A
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 8_2_0041CBE1
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00443355 mov eax, dword ptr fs:[00000030h] 8_2_00443355
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_004120B2 GetProcessHeap,HeapFree, 8_2_004120B2
Enables debug privileges
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_0043503C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00434A8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0043BB71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00434BD8 SetUnhandledExceptionFilter, 8_2_00434BD8
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 459000 Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 471000 Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 477000 Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 478000 Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 479000 Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 47E000 Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 91C008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 459000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 471000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 477000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 478000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 479000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 47E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: E68008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 459000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 471000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 477000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 478000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 479000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 47E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 97C008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 8_2_00412132
Contains functionality to simulate mouse events
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00419662 mouse_event, 8_2_00419662
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: InstallUtil.exe, 00000002.00000002.4594242566.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000002.00000002.4594242566.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerK
Source: InstallUtil.exe, 00000002.00000002.4594242566.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerxK!
Source: InstallUtil.exe, 00000002.00000002.4593835200.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4593835200.0000000000BE6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4593577729.0000000000B88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00434CB6 cpuid 8_2_00434CB6
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: EnumSystemLocalesW, 8_2_0045201B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: EnumSystemLocalesW, 8_2_004520B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_00452143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: GetLocaleInfoW, 8_2_00452393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: EnumSystemLocalesW, 8_2_00448484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_004524BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: GetLocaleInfoW, 8_2_004525C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_00452690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: GetLocaleInfoW, 8_2_0044896D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: GetLocaleInfoA, 8_2_0040F90C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 8_2_00451D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: EnumSystemLocalesW, 8_2_00451FD0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Queries volume information: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Queries volume information: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Queries volume information: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ozpagjqxzt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041A045 __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep, 8_2_0041A045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0041B69E GetUserNameW, 8_2_0041B69E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 8_2_00449210
Source: C:\Users\user\Desktop\SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2563586845.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2260304451.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4593577729.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2481975782.0000000001337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2260304451.000000000400F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2500101220.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2578509114.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe PID: 4388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 4052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 2328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5356, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 8_2_0040BA4D
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 8_2_0040BB6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: \key3.db 8_2_0040BB6B

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-LEWDB1 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-LEWDB1 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-LEWDB1 Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe.3f5bae8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2563586845.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2260304451.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4593577729.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2481975782.0000000001337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2481286366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2260304451.000000000400F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2500101220.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2578509114.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe PID: 4388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 4052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ozpagjqxzt.exe PID: 2328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5356, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: cmd.exe 8_2_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520511 Sample: SERVICE OR PRODUCT DESRIPTI... Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 32 59b3.ddns.net 2->32 34 geoplugin.net 2->34 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 12 other signatures 2->54 7 SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exe 16 4 2->7         started        12 Ozpagjqxzt.exe 14 2 2->12         started        14 Ozpagjqxzt.exe 2 2->14         started        signatures3 52 Uses dynamic DNS services 32->52 process4 dnsIp5 36 45.66.231.90, 49710, 49720, 49722 CMCSUS Germany 7->36 24 C:\Users\user\AppData\...\Ozpagjqxzt.exe, PE32 7->24 dropped 26 C:\Users\...\Ozpagjqxzt.exe:Zone.Identifier, ASCII 7->26 dropped 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->56 58 Writes to foreign memory regions 7->58 60 Allocates memory in foreign processes 7->60 16 InstallUtil.exe 3 13 7->16         started        62 Antivirus detection for dropped file 12->62 64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 20 InstallUtil.exe 12->20         started        68 Injects a PE file into a foreign processes 14->68 22 InstallUtil.exe 14->22         started        file6 signatures7 process8 dnsIp9 28 59b3.ddns.net 147.124.212.210, 2404, 49713 AC-AS-1US United States 16->28 30 geoplugin.net 178.237.33.50, 49714, 80 ATOM86-ASATOM86NL Netherlands 16->30 38 Contains functionality to bypass UAC (CMSTPLUA) 16->38 40 Detected Remcos RAT 16->40 42 Contains functionalty to change the wallpaper 16->42 44 4 other signatures 16->44 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.66.231.90
 unknown Germany
33657 CMCSUS true
147.124.212.210
 59b3.ddns.net United States
1432 AC-AS-1US true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
59b3.ddns.net 147.124.212.210 true
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false
  • URL Reputation: safe
 unknown
59b3.ddns.net true
    		unknown
    http://45.66.231.90/59b3/Ehzegagmq.vdf true
      		unknown