Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Avira: detected |
Source: 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "ab9001.ddns.net:31944:1", "Assigned name": "OCTOBERs", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "VLC.exe", "Startup value": "Rmc", "Hide file": "Disable", "Mutex": "Chrorne-CKQJ2Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Virustotal: Detection: 83% |
Perma Link |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
ReversingLabs: Detection: 89% |
Source: Yara match |
File source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3790231384.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR |
Source: Yara match |
File source: C:\ProgramData\remcos\logs.dat, type: DROPPED |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, |
0_2_004315EC |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: -----BEGIN PUBLIC KEY----- |
memstr_dfbdb724-c |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
0_2_0041A01B |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
0_2_0040B28E |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
0_2_0040838E |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
0_2_004087A0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
0_2_00407848 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004068CD FindFirstFileW,FindNextFileW, |
0_2_004068CD |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0044BA59 FindFirstFileExA, |
0_2_0044BA59 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
0_2_0040AA71 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, |
0_2_00417AAB |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
0_2_0040AC78 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, |
0_2_00406D28 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49725 -> 64.188.16.157:31944 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49850 -> 64.188.16.157:31944 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49979 -> 64.188.16.157:31944 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49974 -> 64.188.16.157:31944 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49978 -> 64.188.16.157:31944 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49977 -> 64.188.16.157:31944 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49982 -> 64.188.16.157:31944 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49980 -> 64.188.16.157:31944 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49976 -> 64.188.16.157:31944 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49981 -> 64.188.16.157:31944 |
Source: Network traffic |
Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49983 -> 64.188.16.157:31944 |
Source: Malware configuration extractor |
URLs: ab9001.ddns.net |
Source: unknown |
DNS query: name: ab9001.ddns.net |
Source: global traffic |
TCP traffic: 192.168.2.9:49725 -> 64.188.16.157:31944 |
Source: Joe Sandbox View |
IP Address: 64.188.16.157 64.188.16.157 |
Source: Joe Sandbox View |
ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00424A66 recv, |
0_2_00424A66 |
Source: global traffic |
DNS traffic detected: DNS query: ab9001.ddns.net |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000 |
0_2_00409340 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard, |
0_2_0040A65A |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
0_2_00414EC1 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard, |
0_2_0040A65A |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, |
0_2_00409468 |
Source: Yara match |
File source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3790231384.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR |
Source: Yara match |
File source: C:\ProgramData\remcos\logs.dat, type: DROPPED |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0041A76C SystemParametersInfoW, |
0_2_0041A76C |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Process Stats: CPU usage > 49% |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress, |
0_2_00414DB4 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00425152 |
0_2_00425152 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00435286 |
0_2_00435286 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004513D4 |
0_2_004513D4 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0045050B |
0_2_0045050B |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00436510 |
0_2_00436510 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004316FB |
0_2_004316FB |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0043569E |
0_2_0043569E |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00443700 |
0_2_00443700 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004257FB |
0_2_004257FB |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004128E3 |
0_2_004128E3 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00425964 |
0_2_00425964 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0041B917 |
0_2_0041B917 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0043D9CC |
0_2_0043D9CC |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00435AD3 |
0_2_00435AD3 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00424BC3 |
0_2_00424BC3 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0043DBFB |
0_2_0043DBFB |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0044ABA9 |
0_2_0044ABA9 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00433C0B |
0_2_00433C0B |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00434D8A |
0_2_00434D8A |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0043DE2A |
0_2_0043DE2A |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0041CEAF |
0_2_0041CEAF |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00435F08 |
0_2_00435F08 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: String function: 00402073 appears 51 times |
|
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: String function: 00432B90 appears 53 times |
|
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: String function: 00432525 appears 42 times |
|
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: classification engine |
Classification label: mal100.rans.troj.spyw.evad.winEXE@1/1@4/1 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, |
0_2_00415C90 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle, |
0_2_0040E2E7 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource, |
0_2_00419493 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
0_2_00418A00 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Chrorne-CKQJ2Y |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Software\ |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Chrorne-CKQJ2Y |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Exe |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Exe |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Chrorne-CKQJ2Y |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: (#G |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Inj |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Inj |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Inj |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Chrorne-CKQJ2Y |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: origmsc |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Rmc |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: XIK |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: XIK |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: XIK |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: H"G |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: XIK |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: exepath |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: H"G |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: exepath |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: XIK |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: licence |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: `"G |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: Administrator |
0_2_0040D3F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Command line argument: User |
0_2_0040D3F0 |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Virustotal: Detection: 83% |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
ReversingLabs: Detection: 89% |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_0041A8DA |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004542E6 push ecx; ret |
0_2_004542F9 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00432BD6 push ecx; ret |
0_2_00432BE9 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00454C08 push eax; ret |
0_2_00454C26 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004063C6 ShellExecuteW,URLDownloadToFileW, |
0_2_004063C6 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
0_2_00418A00 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_0041A8DA |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040E18D Sleep,ExitProcess, |
0_2_0040E18D |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, |
0_2_004186FE |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Window / User API: threadDelayed 5450 |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Window / User API: threadDelayed 4039 |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Window / User API: foregroundWindowGot 1775 |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
API coverage: 8.5 % |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7848 |
Thread sleep count: 235 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7848 |
Thread sleep time: -117500s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7852 |
Thread sleep count: 5450 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7852 |
Thread sleep time: -16350000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7852 |
Thread sleep count: 4039 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7852 |
Thread sleep time: -12117000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
0_2_0041A01B |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
0_2_0040B28E |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
0_2_0040838E |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
0_2_004087A0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
0_2_00407848 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004068CD FindFirstFileW,FindNextFileW, |
0_2_004068CD |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0044BA59 FindFirstFileExA, |
0_2_0044BA59 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
0_2_0040AA71 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, |
0_2_00417AAB |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
0_2_0040AC78 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, |
0_2_00406D28 |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll- |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_004327AE |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_0041A8DA |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004407B5 mov eax, dword ptr fs:[00000030h] |
0_2_004407B5 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError, |
0_2_00410763 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_004327AE |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004328FC SetUnhandledExceptionFilter, |
0_2_004328FC |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_004398AC |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00432D5C |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe |
0_2_00410B5C |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004175E1 mouse_event, |
0_2_004175E1 |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Managerhn |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Managerijk) |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Managerc |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerEM |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Managers.net:31944 |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerPjr) |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerXe!) |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager4eE) |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager]n&) |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Managerfj`) |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager, |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager)e^) |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Managerina/ |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerZn |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerOn()P |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerCe() |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager1 |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager&eW) |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerM( |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager> |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.dr |
Binary or memory string: [Program Manager] |
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerMe:) |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004329DA cpuid |
0_2_004329DA |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_0044F17B |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_0044F130 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_0044F216 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_0044F2A3 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: GetLocaleInfoA, |
0_2_0040E2BB |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: GetLocaleInfoW, |
0_2_0044F4F3 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_0044F61C |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: GetLocaleInfoW, |
0_2_0044F723 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_0044F7F0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_00445914 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: GetLocaleInfoW, |
0_2_00445E1C |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
0_2_0044EEB8 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_0040A0B0 GetLocalTime,wsprintfW, |
0_2_0040A0B0 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004195F8 GetComputerNameExW,GetUserNameW, |
0_2_004195F8 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: 0_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, |
0_2_004466BF |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3790231384.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR |
Source: Yara match |
File source: C:\ProgramData\remcos\logs.dat, type: DROPPED |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data |
0_2_0040A953 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ |
0_2_0040AA71 |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: \key3.db |
0_2_0040AA71 |
Source: Yara match |
File source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3790231384.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR |
Source: Yara match |
File source: C:\ProgramData\remcos\logs.dat, type: DROPPED |
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
Code function: cmd.exe |
0_2_0040567A |