Windows Analysis Report
1m181Ru74o.exe

Overview

General Information

Sample name:	1m181Ru74o.exe renamed because original name is a hash value
Original sample name:	050736376a0870aea56e2faf90ea34aa7af231c7b2d3d209bcac91628eec77c9.exe
Analysis ID:	1562867
MD5:	06a72ba35aaff1b3ab0ea4d3e2e65451
SHA1:	656564a2afc61d10e70d4833a0a57ef046709963
SHA256:	050736376a0870aea56e2faf90ea34aa7af231c7b2d3d209bcac91628eec77c9
Tags:	doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected Remcos RAT

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Delayed program exit found

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Uses dynamic DNS services

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1m181Ru74o.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc	Avira URL Cloud: Label: malware
Source: https://aarzoomarine.com/owa	Avira URL Cloud: Label: phishing
Source: https://aarzoomarine.com:443/wp-content/plugins/231_Ntmftfldhfc	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Ntmftfld.PIF

Avira: detection malicious, Label: TR/AD.Nekark.ykcgg

Found malware configuration

Source: 1m181Ru74o.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc"]}
Source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": ["craekuro.duckdns.org:1950:1"], "Assigned name": "$100 MILLION", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-YHG91Z", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Ntmftfld.PIF

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 1m181Ru74o.exe	ReversingLabs: Detection: 65%
Source: 1m181Ru74o.exe	Virustotal: Detection: 83%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Ntmftfld.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1m181Ru74o.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	9_2_004315EC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04912384 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	9_2_04912384
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_004315EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D62384 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_06D62384

Source: SndVol.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: 1m181Ru74o.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 103.101.59.23:443 -> 192.168.2.11:49706 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 1m181Ru74o.exe, 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015AEF000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1425970905.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B1E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296854371.00000000028E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02EB5908
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_0041A01B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_0040B28E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_0040838E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_004087A0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_00407848
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004068CD FindFirstFileW,FindNextFileW,	9_2_004068CD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0044BA59 FindFirstFileExA,	9_2_0044BA59
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_0040AA71
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	9_2_00417AAB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_0040AC78
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E85E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_048E85E0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9538
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E7665 FindFirstFileW,FindNextFileW,	9_2_048E7665
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492C7F1 FindFirstFileExA,	9_2_0492C7F1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EC026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_048EC026
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9126
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_048FADB3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EB809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_048EB809
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F8843 FindFirstFileW,	9_2_048F8843
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EBA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_048EBA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_0041A01B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_0040B28E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_0040838E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_004087A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_00407848
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004068CD FindFirstFileW,FindNextFileW,	13_2_004068CD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0044BA59 FindFirstFileExA,	13_2_0044BA59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_00417AAB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_0040AC78
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D37665 FindFirstFileW,FindNextFileW,	13_2_06D37665
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7C7F1 FindFirstFileExA,	13_2_06D7C7F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D385E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_06D385E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39538
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3C026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_06D3C026
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39126
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4ADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_06D4ADB3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3BA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_06D3BA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D48843 FindFirstFileW,	13_2_06D48843
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3B809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_06D3B809

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

9_2_00406D28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49723 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49879 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49827 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49984 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49931 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49985 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49776 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49987 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49983 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49986 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49988 -> 172.111.212.138:1950

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc
Source: Malware configuration extractor	URLs: craekuro.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: craekuro.duckdns.org

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECE4BC InternetCheckConnectionA,

0_2_02ECE4BC

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: IOMART-ASGB IOMART-ASGB
Source: Joe Sandbox View	ASN Name: INPL-IN-APIshansNetworkIN INPL-IN-APIshansNetworkIN

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49706 -> 103.101.59.23:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /wp-content/plugins/231_Ntmftfldhfc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: aarzoomarine.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00424A66 recv,

9_2_00424A66

Source: global traffic

HTTP traffic detected: GET /wp-content/plugins/231_Ntmftfldhfc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: aarzoomarine.com

Source: global traffic	DNS traffic detected: DNS query: aarzoomarine.com
Source: global traffic	DNS traffic detected: DNS query: craekuro.duckdns.org

Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mJ
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SndVol.exe, colorcpl.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: SndVol.exe, 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: 1m181Ru74o.exe, 1m181Ru74o.exe, 00000000.00000003.1296854371.000000000290C000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1460211820.000000007FA30000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1425970905.0000000002908000.00000004.00000020.00020000.00000000.sdmp, Ntmftfld.PIF, 0000000B.00000002.1550969058.0000000002FB2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.000000000060E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aarzoomarine.com/owa
Source: 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014DEC000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1424747239.000000000060E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.0000000000684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aarzoomarine.com:443/wp-content/plugins/231_Ntmftfldhfc
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 103.101.59.23:443 -> 192.168.2.11:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000

9_2_00409340

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

9_2_0040A65A

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	9_2_00414EC1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F5C59 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	9_2_048F5C59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	13_2_00414EC1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D45C59 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	13_2_06D45C59

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

9_2_0040A65A

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

9_2_00409468

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041A76C SystemParametersInfoW,	9_2_0041A76C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FB504 SystemParametersInfoW,	9_2_048FB504
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041A76C SystemParametersInfoW,	13_2_0041A76C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4B504 SystemParametersInfoW,	13_2_06D4B504

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\SndVol.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECB11C GetModuleHandleW,NtOpenProcess,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,	0_2_02ECB11C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC7A3C NtAllocateVirtualMemory,	0_2_02EC7A3C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDC90 RtlD,NtCreateFile,NtWriteFile,NtClose,	0_2_02ECDC90
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDC08 RtlInitUnicodeString,RtlD,NtDeleteFile,	0_2_02ECDC08
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC7D88 NtWriteVirtualMemory,	0_2_02EC7D88
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDD74 RtlD,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02ECDD74
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC84D8 NtProtectVirtualMemory,	0_2_02EC84D8
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC7A3A NtAllocateVirtualMemory,	0_2_02EC7A3A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDBB4 RtlInitUnicodeString,RtlD,NtDeleteFile,	0_2_02ECDBB4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8D74 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02EC8D74
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8D72 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02EC8D72
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FC0DC NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	9_2_048FC0DC
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F4B11C NtOpenProcess,NtCreateThreadEx,	11_2_02F4B11C
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47A3C NtAllocateVirtualMemory,	11_2_02F47A3C
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47D88 NtWriteVirtualMemory,	11_2_02F47D88
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F4DD74 NtOpenFile,NtReadFile,	11_2_02F4DD74
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F484D8 NtProtectVirtualMemory,	11_2_02F484D8
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47AD9 NtAllocateVirtualMemory,	11_2_02F47AD9
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47A3A NtAllocateVirtualMemory,	11_2_02F47A3A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4C0DC NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	13_2_06D4C0DC

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECF7CC InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_02ECF7CC

Contains functionality to shutdown / reboot the system

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	9_2_00414DB4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F5B4C ExitWindowsEx,LoadLibraryA,GetProcAddress,	9_2_048F5B4C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	13_2_00414DB4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D45B4C ExitWindowsEx,LoadLibraryA,GetProcAddress,	13_2_06D45B4C

Detected potential crypto function

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB20C4	0_2_02EB20C4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00425152	9_2_00425152
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00435286	9_2_00435286
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004513D4	9_2_004513D4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0045050B	9_2_0045050B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00436510	9_2_00436510
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004316FB	9_2_004316FB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043569E	9_2_0043569E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00443700	9_2_00443700
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004257FB	9_2_004257FB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004128E3	9_2_004128E3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00425964	9_2_00425964
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041B917	9_2_0041B917
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043D9CC	9_2_0043D9CC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00435AD3	9_2_00435AD3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00424BC3	9_2_00424BC3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043DBFB	9_2_0043DBFB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0044ABA9	9_2_0044ABA9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00433C0B	9_2_00433C0B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00434D8A	9_2_00434D8A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043DE2A	9_2_0043DE2A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041CEAF	9_2_0041CEAF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00435F08	9_2_00435F08
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04912493	9_2_04912493
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04924498	9_2_04924498
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04916436	9_2_04916436
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04906593	9_2_04906593
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FC6AF	9_2_048FC6AF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049066FC	9_2_049066FC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F367B	9_2_048F367B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491E764	9_2_0491E764
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491601E	9_2_0491601E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0493216C	9_2_0493216C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049312A3	9_2_049312A3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049172A8	9_2_049172A8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04916CA0	9_2_04916CA0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FDC47	9_2_048FDC47
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04905EEA	9_2_04905EEA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491686B	9_2_0491686B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491E993	9_2_0491E993
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049149A3	9_2_049149A3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0490595B	9_2_0490595B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492B941	9_2_0492B941
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491EBC2	9_2_0491EBC2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04915B22	9_2_04915B22
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F320C4	11_2_02F320C4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00425152	13_2_00425152
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00435286	13_2_00435286
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004513D4	13_2_004513D4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0045050B	13_2_0045050B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00436510	13_2_00436510
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004316FB	13_2_004316FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043569E	13_2_0043569E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00443700	13_2_00443700
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004257FB	13_2_004257FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004128E3	13_2_004128E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00425964	13_2_00425964
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041B917	13_2_0041B917
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043D9CC	13_2_0043D9CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00435AD3	13_2_00435AD3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00424BC3	13_2_00424BC3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043DBFB	13_2_0043DBFB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0044ABA9	13_2_0044ABA9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00433C0B	13_2_00433C0B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00434D8A	13_2_00434D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043DE2A	13_2_0043DE2A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041CEAF	13_2_0041CEAF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00435F08	13_2_00435F08
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D566FC	13_2_06D566FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4C6AF	13_2_06D4C6AF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4367B	13_2_06D4367B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6E764	13_2_06D6E764
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D62493	13_2_06D62493
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D74498	13_2_06D74498
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D66436	13_2_06D66436
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D56593	13_2_06D56593
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D812A3	13_2_06D812A3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D672A8	13_2_06D672A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6601E	13_2_06D6601E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D8216C	13_2_06D8216C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D55EEA	13_2_06D55EEA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D66CA0	13_2_06D66CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4DC47	13_2_06D4DC47
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6EBC2	13_2_06D6EBC2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D65B22	13_2_06D65B22
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6686B	13_2_06D6686B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6E993	13_2_06D6E993
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D649A3	13_2_06D649A3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D5595B	13_2_06D5595B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7B941	13_2_06D7B941

Found potential string decryption / allocating functions

Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: String function: 02F4895C appears 50 times
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: String function: 02F34860 appears 683 times
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: String function: 02F346D4 appears 155 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB44DC appears 74 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EC895C appears 56 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB4500 appears 33 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB4860 appears 949 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB46D4 appears 244 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EC89E0 appears 45 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00432525 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06D63928 appears 53 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06D632BD appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00432B90 appears 53 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 04913928 appears 53 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00432525 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 049132BD appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00432B90 appears 53 times

Sample file is different than original file name gathered from version info

Source: 1m181Ru74o.exe	Binary or memory string: OriginalFilename vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC5F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1296854371.000000000290C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1425448990.00000000022C5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1425970905.0000000002904000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1460211820.000000007FA30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1296854371.0000000002908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1425970905.0000000002908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D7E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe

Uses 32bit PE files

Source: 1m181Ru74o.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@20/11@5/2

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	9_2_00415C90
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F6A28 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	9_2_048F6A28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	13_2_00415C90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D46A28 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	13_2_06D46A28

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EB7FE2 GetDiskFreeSpaceA,

0_2_02EB7FE2

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECAD9C CreateToolhelp32Snapshot,

0_2_02ECAD9C

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EC6DD8 CoCreateInstance,

0_2_02EC6DD8

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,

9_2_00419493

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

9_2_00418A00

Source: C:\Users\user\Desktop\1m181Ru74o.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1m181Ru74o.exe	ReversingLabs: Detection: 65%
Source: 1m181Ru74o.exe	Virustotal: Detection: 83%

Source: C:\Users\user\Desktop\1m181Ru74o.exe

File read: C:\Users\user\Desktop\1m181Ru74o.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1m181Ru74o.exe "C:\Users\user\Desktop\1m181Ru74o.exe"
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\dlftfmtN.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\1m181Ru74o.exe /d C:\\Users\\Public\\Libraries\\Ntmftfld.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Ntmftfld.PIF "C:\Users\Public\Libraries\Ntmftfld.PIF"
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Ntmftfld.PIF "C:\Users\Public\Libraries\Ntmftfld.PIF"
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\dlftfmtN.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\1m181Ru74o.exe /d C:\\Users\\Public\\Libraries\\Ntmftfld.PIF /o	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\colorcpl.exe

Window detected: Number of UI elements: 12

Source: 1m181Ru74o.exe

Static file information: File size 1566208 > 1048576

Source: 1m181Ru74o.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10b200

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 1m181Ru74o.exe, 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015AEF000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1425970905.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B1E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296854371.00000000028E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match

File source: 0.2.1m181Ru74o.exe.2eb0000.2.unpack, type: UNPACKEDPE

Binary contains a suspicious time stamp

Source: alpha.pif.5.dr

Static PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EC895C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02EC895C

PE file contains sections with non-standard names

Source: alpha.pif.5.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD2FC push 02EDD367h; ret	0_2_02EDD35F
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB63AE push 02EB640Bh; ret	0_2_02EB6403
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB63B0 push 02EB640Bh; ret	0_2_02EB6403
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDC37C push 02EDC572h; ret	0_2_02EDC56A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB332C push eax; ret	0_2_02EB3368
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD0AC push 02EDD125h; ret	0_2_02EDD11D
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC307C push 02EC30C9h; ret	0_2_02EC30C1
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC307B push 02EC30C9h; ret	0_2_02EC30C1
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD1F8 push 02EDD288h; ret	0_2_02EDD280
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD144 push 02EDD1ECh; ret	0_2_02EDD1E4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECF10C push ecx; mov dword ptr [esp], edx	0_2_02ECF111
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB6792 push 02EB67D6h; ret	0_2_02EB67CE
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB6794 push 02EB67D6h; ret	0_2_02EB67CE
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBD5B0 push 02EBD5DCh; ret	0_2_02EBD5D4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBC57C push ecx; mov dword ptr [esp], edx	0_2_02EBC581
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDC574 push 02EDC572h; ret	0_2_02EDC56A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECAAE4 push 02ECAB1Ch; ret	0_2_02ECAB14
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8ADC push 02EC8B14h; ret	0_2_02EC8B0C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8ADA push 02EC8B14h; ret	0_2_02EC8B0C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBCA5E push 02EBCD82h; ret	0_2_02EBCD7A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBCBFC push 02EBCD82h; ret	0_2_02EBCD7A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC887C push 02EC88BEh; ret	0_2_02EC88B6
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02F24850 push eax; ret	0_2_02F24920
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC6958 push 02EC6A03h; ret	0_2_02EC69FB
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC6956 push 02EC6A03h; ret	0_2_02EC69FB
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC791C push 02EC7999h; ret	0_2_02EC7991
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC5E8C push ecx; mov dword ptr [esp], edx	0_2_02EC5E8E
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC2F70 push 02EC2FE6h; ret	0_2_02EC2FDE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004000D8 push es; iretd	9_2_004000D9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040008C push es; iretd	9_2_0040008D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004542E6 push ecx; ret	9_2_004542F9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Ntmftfld.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004063C6 ShellExecuteW,URLDownloadToFileW,

9_2_004063C6

Drops PE files

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Ntmftfld.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

9_2_00418A00

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ntmftfld			Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ntmftfld			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EB6772 IsIconic,

0_2_02EB6772

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECAB20 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02ECAB20

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040E18D Sleep,ExitProcess,	9_2_0040E18D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EEF25 Sleep,ExitProcess,	9_2_048EEF25
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040E18D Sleep,ExitProcess,	13_2_0040E18D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3EF25 Sleep,ExitProcess,	13_2_06D3EF25

Contains functionality to enumerate running services

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	9_2_004186FE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	9_2_048F9496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	13_2_004186FE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	13_2_06D49496

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: threadDelayed 3059	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: threadDelayed 6534	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: foregroundWindowGot 1761	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\esentutl.exe

Dropped PE file which has not been started: C:\Users\Public\xpha.pif

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\SndVol.exe	API coverage: 5.1 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\SndVol.exe TID: 8024	Thread sleep time: -84500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 8028	Thread sleep time: -9177000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 8028	Thread sleep time: -19602000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02EB5908
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_0041A01B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_0040B28E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_0040838E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_004087A0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_00407848
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004068CD FindFirstFileW,FindNextFileW,	9_2_004068CD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0044BA59 FindFirstFileExA,	9_2_0044BA59
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_0040AA71
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	9_2_00417AAB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_0040AC78
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E85E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_048E85E0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9538
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E7665 FindFirstFileW,FindNextFileW,	9_2_048E7665
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492C7F1 FindFirstFileExA,	9_2_0492C7F1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EC026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_048EC026
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9126
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_048FADB3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EB809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_048EB809
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F8843 FindFirstFileW,	9_2_048F8843
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EBA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_048EBA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_0041A01B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_0040B28E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_0040838E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_004087A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_00407848
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004068CD FindFirstFileW,FindNextFileW,	13_2_004068CD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0044BA59 FindFirstFileExA,	13_2_0044BA59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_00417AAB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_0040AC78
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D37665 FindFirstFileW,FindNextFileW,	13_2_06D37665
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7C7F1 FindFirstFileExA,	13_2_06D7C7F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D385E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_06D385E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39538
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3C026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_06D3C026
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39126
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4ADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_06D4ADB3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3BA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_06D3BA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D48843 FindFirstFileW,	13_2_06D48843
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3B809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_06D3B809

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

9_2_00406D28

Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.000000000060E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1424747239.0000000000659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.0000000000659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWN^
Source: Ntmftfld.PIF, 0000000B.00000002.1546846598.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, Ntmftfld.PIF, 0000000E.00000002.1616931145.0000000000775000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1m181Ru74o.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\SndVol.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECF748 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02ECF748

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_004327AE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EC895C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02EC895C

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004407B5 mov eax, dword ptr fs:[00000030h]	9_2_004407B5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E1146 mov eax, dword ptr fs:[00000030h]	9_2_048E1146
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E1146 mov eax, dword ptr fs:[00000030h]	9_2_048E1146
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492154D mov eax, dword ptr fs:[00000030h]	9_2_0492154D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004407B5 mov eax, dword ptr fs:[00000030h]	13_2_004407B5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D31146 mov eax, dword ptr fs:[00000030h]	13_2_06D31146
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D31146 mov eax, dword ptr fs:[00000030h]	13_2_06D31146
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7154D mov eax, dword ptr fs:[00000030h]	13_2_06D7154D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

9_2_00410763

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004327AE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004328FC SetUnhandledExceptionFilter,	9_2_004328FC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004398AC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00432D5C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04913546 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_04913546
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04913694 SetUnhandledExceptionFilter,	9_2_04913694
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491A644 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0491A644
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04913AF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_04913AF4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_004327AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004328FC SetUnhandledExceptionFilter,	13_2_004328FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_004398AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00432D5C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D63694 SetUnhandledExceptionFilter,	13_2_06D63694
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6A644 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_06D6A644
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D63546 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_06D63546
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D63AF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_06D63AF4

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 48E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6D30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 7090000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 48E15CE	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6D315CE	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 70915CE	Jump to behavior

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 48E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6D30000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7090000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 48E0000	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6D30000	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7090000	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		9_2_00410B5C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		13_2_00410B5C

Contains functionality to simulate mouse events

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004175E1 mouse_event,

9_2_004175E1

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o			Jump to behavior

Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager'
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managero
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerM
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager,
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1Z\
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageru
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager2
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager}
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004329DA cpuid

9_2_004329DA

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02EB5ACC
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: GetLocaleInfoA,	0_2_02EBA7D4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02EB5BD8
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: GetLocaleInfoA,	0_2_02EBA820
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0044F17B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0044F130
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0044F216
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_0044F2A3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	9_2_0040E2BB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_0044F4F3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_0044F61C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_0044F723
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_0044F7F0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_00445914
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_00445E1C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_0044EEB8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_049304BB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_04930588
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_049266AC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_0493003B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	9_2_048EF053
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_0493028B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_049303B4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_0492FC50
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0492FEC8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0492FFAE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0492FF13
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_04926BB4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_0044F17B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_0044F130
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_0044F216
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_0044F2A3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	13_2_0040E2BB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_0044F4F3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_0044F61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_0044F723
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_0044F7F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_00445914
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_00445E1C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_0044EEB8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D766AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_06D804BB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_06D80588
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_06D8028B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_06D803B4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	13_2_06D3F053
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_06D8003B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D7FEC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D7FFAE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D7FF13
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_06D7FC50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_06D76BB4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EB921C GetLocalTime,

0_2_02EB921C

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004195F8 GetUserNameW,

9_2_004195F8

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

9_2_004466BF

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EBB79C GetVersionExA,

0_2_02EBB79C

Source: C:\Windows\SysWOW64\SndVol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		9_2_0040A953
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		13_2_0040A953

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	9_2_0040AA71
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \key3.db	9_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	13_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	13_2_0040AA71

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\SndVol.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: cmd.exe		9_2_0040567A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe		13_2_0040567A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.111.212.138	craekuro.duckdns.org	United States		20860	IOMART-ASGB	true
103.101.59.23	aarzoomarine.com	India		45117	INPL-IN-APIshansNetworkIN	true

Contacted Domains

Name	IP	Active
aarzoomarine.com	103.101.59.23	true
craekuro.duckdns.org	172.111.212.138	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc	true	Avira URL Cloud: malware	unknown
craekuro.duckdns.org	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1m181Ru74o.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc	Avira URL Cloud: Label: malware
Source: https://aarzoomarine.com/owa	Avira URL Cloud: Label: phishing
Source: https://aarzoomarine.com:443/wp-content/plugins/231_Ntmftfldhfc	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Ntmftfld.PIF

Avira: detection malicious, Label: TR/AD.Nekark.ykcgg

Found malware configuration

Source: 1m181Ru74o.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc"]}
Source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": ["craekuro.duckdns.org:1950:1"], "Assigned name": "$100 MILLION", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-YHG91Z", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Ntmftfld.PIF

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 1m181Ru74o.exe	ReversingLabs: Detection: 65%
Source: 1m181Ru74o.exe	Virustotal: Detection: 83%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Ntmftfld.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1m181Ru74o.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	9_2_004315EC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04912384 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	9_2_04912384
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_004315EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D62384 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_06D62384

Source: SndVol.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: 1m181Ru74o.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 103.101.59.23:443 -> 192.168.2.11:49706 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 1m181Ru74o.exe, 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015AEF000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1425970905.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B1E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296854371.00000000028E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02EB5908
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_0041A01B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_0040B28E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_0040838E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_004087A0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_00407848
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004068CD FindFirstFileW,FindNextFileW,	9_2_004068CD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0044BA59 FindFirstFileExA,	9_2_0044BA59
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_0040AA71
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	9_2_00417AAB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_0040AC78
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E85E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_048E85E0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9538
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E7665 FindFirstFileW,FindNextFileW,	9_2_048E7665
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492C7F1 FindFirstFileExA,	9_2_0492C7F1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EC026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_048EC026
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9126
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_048FADB3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EB809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_048EB809
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F8843 FindFirstFileW,	9_2_048F8843
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EBA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_048EBA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_0041A01B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_0040B28E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_0040838E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_004087A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_00407848
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004068CD FindFirstFileW,FindNextFileW,	13_2_004068CD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0044BA59 FindFirstFileExA,	13_2_0044BA59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_00417AAB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_0040AC78
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D37665 FindFirstFileW,FindNextFileW,	13_2_06D37665
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7C7F1 FindFirstFileExA,	13_2_06D7C7F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D385E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_06D385E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39538
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3C026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_06D3C026
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39126
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4ADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_06D4ADB3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3BA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_06D3BA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D48843 FindFirstFileW,	13_2_06D48843
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3B809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_06D3B809

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

9_2_00406D28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49723 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49879 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49827 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49984 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49931 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49985 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49776 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49987 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49983 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49986 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49988 -> 172.111.212.138:1950

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc
Source: Malware configuration extractor	URLs: craekuro.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: craekuro.duckdns.org

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECE4BC InternetCheckConnectionA,

0_2_02ECE4BC

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: IOMART-ASGB IOMART-ASGB
Source: Joe Sandbox View	ASN Name: INPL-IN-APIshansNetworkIN INPL-IN-APIshansNetworkIN

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49706 -> 103.101.59.23:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /wp-content/plugins/231_Ntmftfldhfc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: aarzoomarine.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00424A66 recv,

9_2_00424A66

Source: global traffic

HTTP traffic detected: GET /wp-content/plugins/231_Ntmftfldhfc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: aarzoomarine.com

Source: global traffic	DNS traffic detected: DNS query: aarzoomarine.com
Source: global traffic	DNS traffic detected: DNS query: craekuro.duckdns.org

Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mJ
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SndVol.exe, colorcpl.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: SndVol.exe, 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: 1m181Ru74o.exe, 1m181Ru74o.exe, 00000000.00000003.1296854371.000000000290C000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1460211820.000000007FA30000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1425970905.0000000002908000.00000004.00000020.00020000.00000000.sdmp, Ntmftfld.PIF, 0000000B.00000002.1550969058.0000000002FB2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.000000000060E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aarzoomarine.com/owa
Source: 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014DEC000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1424747239.000000000060E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.0000000000684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aarzoomarine.com:443/wp-content/plugins/231_Ntmftfldhfc
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 103.101.59.23:443 -> 192.168.2.11:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000

9_2_00409340

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

9_2_0040A65A

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	9_2_00414EC1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F5C59 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	9_2_048F5C59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	13_2_00414EC1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D45C59 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	13_2_06D45C59

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

9_2_0040A65A

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

9_2_00409468

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041A76C SystemParametersInfoW,	9_2_0041A76C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FB504 SystemParametersInfoW,	9_2_048FB504
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041A76C SystemParametersInfoW,	13_2_0041A76C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4B504 SystemParametersInfoW,	13_2_06D4B504

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\SndVol.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECB11C GetModuleHandleW,NtOpenProcess,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,	0_2_02ECB11C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC7A3C NtAllocateVirtualMemory,	0_2_02EC7A3C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDC90 RtlD,NtCreateFile,NtWriteFile,NtClose,	0_2_02ECDC90
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDC08 RtlInitUnicodeString,RtlD,NtDeleteFile,	0_2_02ECDC08
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC7D88 NtWriteVirtualMemory,	0_2_02EC7D88
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDD74 RtlD,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02ECDD74
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC84D8 NtProtectVirtualMemory,	0_2_02EC84D8
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC7A3A NtAllocateVirtualMemory,	0_2_02EC7A3A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDBB4 RtlInitUnicodeString,RtlD,NtDeleteFile,	0_2_02ECDBB4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8D74 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02EC8D74
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8D72 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02EC8D72
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FC0DC NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	9_2_048FC0DC
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F4B11C NtOpenProcess,NtCreateThreadEx,	11_2_02F4B11C
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47A3C NtAllocateVirtualMemory,	11_2_02F47A3C
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47D88 NtWriteVirtualMemory,	11_2_02F47D88
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F4DD74 NtOpenFile,NtReadFile,	11_2_02F4DD74
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F484D8 NtProtectVirtualMemory,	11_2_02F484D8
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47AD9 NtAllocateVirtualMemory,	11_2_02F47AD9
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47A3A NtAllocateVirtualMemory,	11_2_02F47A3A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4C0DC NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	13_2_06D4C0DC

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECF7CC InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_02ECF7CC

Contains functionality to shutdown / reboot the system

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	9_2_00414DB4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F5B4C ExitWindowsEx,LoadLibraryA,GetProcAddress,	9_2_048F5B4C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	13_2_00414DB4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D45B4C ExitWindowsEx,LoadLibraryA,GetProcAddress,	13_2_06D45B4C

Detected potential crypto function

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB20C4	0_2_02EB20C4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00425152	9_2_00425152
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00435286	9_2_00435286
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004513D4	9_2_004513D4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0045050B	9_2_0045050B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00436510	9_2_00436510
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004316FB	9_2_004316FB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043569E	9_2_0043569E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00443700	9_2_00443700
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004257FB	9_2_004257FB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004128E3	9_2_004128E3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00425964	9_2_00425964
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041B917	9_2_0041B917
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043D9CC	9_2_0043D9CC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00435AD3	9_2_00435AD3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00424BC3	9_2_00424BC3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043DBFB	9_2_0043DBFB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0044ABA9	9_2_0044ABA9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00433C0B	9_2_00433C0B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00434D8A	9_2_00434D8A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043DE2A	9_2_0043DE2A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041CEAF	9_2_0041CEAF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00435F08	9_2_00435F08
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04912493	9_2_04912493
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04924498	9_2_04924498
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04916436	9_2_04916436
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04906593	9_2_04906593
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FC6AF	9_2_048FC6AF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049066FC	9_2_049066FC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F367B	9_2_048F367B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491E764	9_2_0491E764
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491601E	9_2_0491601E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0493216C	9_2_0493216C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049312A3	9_2_049312A3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049172A8	9_2_049172A8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04916CA0	9_2_04916CA0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FDC47	9_2_048FDC47
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04905EEA	9_2_04905EEA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491686B	9_2_0491686B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491E993	9_2_0491E993
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049149A3	9_2_049149A3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0490595B	9_2_0490595B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492B941	9_2_0492B941
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491EBC2	9_2_0491EBC2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04915B22	9_2_04915B22
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F320C4	11_2_02F320C4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00425152	13_2_00425152
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00435286	13_2_00435286
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004513D4	13_2_004513D4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0045050B	13_2_0045050B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00436510	13_2_00436510
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004316FB	13_2_004316FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043569E	13_2_0043569E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00443700	13_2_00443700
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004257FB	13_2_004257FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004128E3	13_2_004128E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00425964	13_2_00425964
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041B917	13_2_0041B917
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043D9CC	13_2_0043D9CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00435AD3	13_2_00435AD3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00424BC3	13_2_00424BC3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043DBFB	13_2_0043DBFB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0044ABA9	13_2_0044ABA9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00433C0B	13_2_00433C0B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00434D8A	13_2_00434D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043DE2A	13_2_0043DE2A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041CEAF	13_2_0041CEAF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00435F08	13_2_00435F08
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D566FC	13_2_06D566FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4C6AF	13_2_06D4C6AF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4367B	13_2_06D4367B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6E764	13_2_06D6E764
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D62493	13_2_06D62493
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D74498	13_2_06D74498
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D66436	13_2_06D66436
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D56593	13_2_06D56593
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D812A3	13_2_06D812A3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D672A8	13_2_06D672A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6601E	13_2_06D6601E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D8216C	13_2_06D8216C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D55EEA	13_2_06D55EEA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D66CA0	13_2_06D66CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4DC47	13_2_06D4DC47
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6EBC2	13_2_06D6EBC2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D65B22	13_2_06D65B22
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6686B	13_2_06D6686B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6E993	13_2_06D6E993
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D649A3	13_2_06D649A3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D5595B	13_2_06D5595B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7B941	13_2_06D7B941

Found potential string decryption / allocating functions

Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: String function: 02F4895C appears 50 times
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: String function: 02F34860 appears 683 times
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: String function: 02F346D4 appears 155 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB44DC appears 74 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EC895C appears 56 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB4500 appears 33 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB4860 appears 949 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB46D4 appears 244 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EC89E0 appears 45 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00432525 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06D63928 appears 53 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06D632BD appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00432B90 appears 53 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 04913928 appears 53 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00432525 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 049132BD appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00432B90 appears 53 times

Sample file is different than original file name gathered from version info

Source: 1m181Ru74o.exe	Binary or memory string: OriginalFilename vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC5F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1296854371.000000000290C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1425448990.00000000022C5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1425970905.0000000002904000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1460211820.000000007FA30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1296854371.0000000002908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1425970905.0000000002908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D7E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe

Uses 32bit PE files

Source: 1m181Ru74o.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@20/11@5/2

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	9_2_00415C90
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F6A28 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	9_2_048F6A28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	13_2_00415C90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D46A28 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	13_2_06D46A28

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EB7FE2 GetDiskFreeSpaceA,

0_2_02EB7FE2

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECAD9C CreateToolhelp32Snapshot,

0_2_02ECAD9C

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EC6DD8 CoCreateInstance,

0_2_02EC6DD8

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,

9_2_00419493

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

9_2_00418A00

Source: C:\Users\user\Desktop\1m181Ru74o.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1m181Ru74o.exe	ReversingLabs: Detection: 65%
Source: 1m181Ru74o.exe	Virustotal: Detection: 83%

Source: C:\Users\user\Desktop\1m181Ru74o.exe

File read: C:\Users\user\Desktop\1m181Ru74o.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1m181Ru74o.exe "C:\Users\user\Desktop\1m181Ru74o.exe"
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\dlftfmtN.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\1m181Ru74o.exe /d C:\\Users\\Public\\Libraries\\Ntmftfld.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Ntmftfld.PIF "C:\Users\Public\Libraries\Ntmftfld.PIF"
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Ntmftfld.PIF "C:\Users\Public\Libraries\Ntmftfld.PIF"
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\dlftfmtN.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\1m181Ru74o.exe /d C:\\Users\\Public\\Libraries\\Ntmftfld.PIF /o	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\colorcpl.exe

Window detected: Number of UI elements: 12

Source: 1m181Ru74o.exe

Static file information: File size 1566208 > 1048576

Source: 1m181Ru74o.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10b200

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 1m181Ru74o.exe, 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015AEF000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1425970905.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B1E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296854371.00000000028E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match

File source: 0.2.1m181Ru74o.exe.2eb0000.2.unpack, type: UNPACKEDPE

Binary contains a suspicious time stamp

Source: alpha.pif.5.dr

Static PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EC895C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02EC895C

PE file contains sections with non-standard names

Source: alpha.pif.5.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD2FC push 02EDD367h; ret	0_2_02EDD35F
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB63AE push 02EB640Bh; ret	0_2_02EB6403
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB63B0 push 02EB640Bh; ret	0_2_02EB6403
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDC37C push 02EDC572h; ret	0_2_02EDC56A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB332C push eax; ret	0_2_02EB3368
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD0AC push 02EDD125h; ret	0_2_02EDD11D
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC307C push 02EC30C9h; ret	0_2_02EC30C1
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC307B push 02EC30C9h; ret	0_2_02EC30C1
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD1F8 push 02EDD288h; ret	0_2_02EDD280
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD144 push 02EDD1ECh; ret	0_2_02EDD1E4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECF10C push ecx; mov dword ptr [esp], edx	0_2_02ECF111
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB6792 push 02EB67D6h; ret	0_2_02EB67CE
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB6794 push 02EB67D6h; ret	0_2_02EB67CE
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBD5B0 push 02EBD5DCh; ret	0_2_02EBD5D4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBC57C push ecx; mov dword ptr [esp], edx	0_2_02EBC581
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDC574 push 02EDC572h; ret	0_2_02EDC56A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECAAE4 push 02ECAB1Ch; ret	0_2_02ECAB14
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8ADC push 02EC8B14h; ret	0_2_02EC8B0C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8ADA push 02EC8B14h; ret	0_2_02EC8B0C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBCA5E push 02EBCD82h; ret	0_2_02EBCD7A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBCBFC push 02EBCD82h; ret	0_2_02EBCD7A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC887C push 02EC88BEh; ret	0_2_02EC88B6
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02F24850 push eax; ret	0_2_02F24920
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC6958 push 02EC6A03h; ret	0_2_02EC69FB
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC6956 push 02EC6A03h; ret	0_2_02EC69FB
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC791C push 02EC7999h; ret	0_2_02EC7991
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC5E8C push ecx; mov dword ptr [esp], edx	0_2_02EC5E8E
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC2F70 push 02EC2FE6h; ret	0_2_02EC2FDE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004000D8 push es; iretd	9_2_004000D9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040008C push es; iretd	9_2_0040008D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004542E6 push ecx; ret	9_2_004542F9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Ntmftfld.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004063C6 ShellExecuteW,URLDownloadToFileW,

9_2_004063C6

Drops PE files

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Ntmftfld.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

9_2_00418A00

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ntmftfld			Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ntmftfld			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EB6772 IsIconic,

0_2_02EB6772

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\1m181Ru74o.exe

0_2_02ECAB20

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040E18D Sleep,ExitProcess,	9_2_0040E18D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EEF25 Sleep,ExitProcess,	9_2_048EEF25
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040E18D Sleep,ExitProcess,	13_2_0040E18D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3EF25 Sleep,ExitProcess,	13_2_06D3EF25

Contains functionality to enumerate running services

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	9_2_004186FE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	9_2_048F9496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	13_2_004186FE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	13_2_06D49496

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: threadDelayed 3059	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: threadDelayed 6534	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: foregroundWindowGot 1761	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\esentutl.exe

Dropped PE file which has not been started: C:\Users\Public\xpha.pif

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\SndVol.exe	API coverage: 5.1 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\SndVol.exe TID: 8024	Thread sleep time: -84500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 8028	Thread sleep time: -9177000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 8028	Thread sleep time: -19602000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02EB5908
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_0041A01B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_0040B28E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_0040838E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_004087A0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_00407848
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004068CD FindFirstFileW,FindNextFileW,	9_2_004068CD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0044BA59 FindFirstFileExA,	9_2_0044BA59
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_0040AA71
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	9_2_00417AAB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_0040AC78
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E85E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_048E85E0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9538
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E7665 FindFirstFileW,FindNextFileW,	9_2_048E7665
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492C7F1 FindFirstFileExA,	9_2_0492C7F1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EC026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_048EC026
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9126
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_048FADB3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EB809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_048EB809
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F8843 FindFirstFileW,	9_2_048F8843
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EBA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_048EBA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_0041A01B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_0040B28E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_0040838E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_004087A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_00407848
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004068CD FindFirstFileW,FindNextFileW,	13_2_004068CD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0044BA59 FindFirstFileExA,	13_2_0044BA59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_00417AAB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_0040AC78
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D37665 FindFirstFileW,FindNextFileW,	13_2_06D37665
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7C7F1 FindFirstFileExA,	13_2_06D7C7F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D385E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_06D385E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39538
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3C026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_06D3C026
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39126
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4ADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_06D4ADB3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3BA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_06D3BA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D48843 FindFirstFileW,	13_2_06D48843
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3B809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_06D3B809

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

9_2_00406D28

Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.000000000060E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1424747239.0000000000659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.0000000000659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWN^
Source: Ntmftfld.PIF, 0000000B.00000002.1546846598.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, Ntmftfld.PIF, 0000000E.00000002.1616931145.0000000000775000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1m181Ru74o.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\SndVol.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECF748 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02ECF748

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_004327AE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EC895C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02EC895C

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004407B5 mov eax, dword ptr fs:[00000030h]	9_2_004407B5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E1146 mov eax, dword ptr fs:[00000030h]	9_2_048E1146
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E1146 mov eax, dword ptr fs:[00000030h]	9_2_048E1146
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492154D mov eax, dword ptr fs:[00000030h]	9_2_0492154D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004407B5 mov eax, dword ptr fs:[00000030h]	13_2_004407B5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D31146 mov eax, dword ptr fs:[00000030h]	13_2_06D31146
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D31146 mov eax, dword ptr fs:[00000030h]	13_2_06D31146
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7154D mov eax, dword ptr fs:[00000030h]	13_2_06D7154D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

9_2_00410763

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004327AE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004328FC SetUnhandledExceptionFilter,	9_2_004328FC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004398AC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00432D5C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04913546 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_04913546
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04913694 SetUnhandledExceptionFilter,	9_2_04913694
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491A644 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0491A644
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04913AF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_04913AF4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_004327AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004328FC SetUnhandledExceptionFilter,	13_2_004328FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_004398AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00432D5C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D63694 SetUnhandledExceptionFilter,	13_2_06D63694
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6A644 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_06D6A644
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D63546 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_06D63546
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D63AF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_06D63AF4

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 48E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6D30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 7090000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 48E15CE	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6D315CE	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 70915CE	Jump to behavior

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 48E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6D30000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7090000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 48E0000	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6D30000	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7090000	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		9_2_00410B5C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		13_2_00410B5C

Contains functionality to simulate mouse events

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004175E1 mouse_event,

9_2_004175E1

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o			Jump to behavior

Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager'
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managero
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerM
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager,
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1Z\
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageru
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager2
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager}
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004329DA cpuid

9_2_004329DA

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02EB5ACC
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: GetLocaleInfoA,	0_2_02EBA7D4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02EB5BD8
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: GetLocaleInfoA,	0_2_02EBA820
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0044F17B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0044F130
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0044F216
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_0044F2A3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	9_2_0040E2BB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_0044F4F3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_0044F61C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_0044F723
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_0044F7F0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_00445914
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_00445E1C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_0044EEB8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_049304BB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_04930588
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_049266AC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_0493003B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	9_2_048EF053
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_0493028B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_049303B4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_0492FC50
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0492FEC8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0492FFAE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0492FF13
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_04926BB4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_0044F17B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_0044F130
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_0044F216
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_0044F2A3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	13_2_0040E2BB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_0044F4F3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_0044F61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_0044F723
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_0044F7F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_00445914
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_00445E1C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_0044EEB8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D766AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_06D804BB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_06D80588
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_06D8028B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_06D803B4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	13_2_06D3F053
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_06D8003B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D7FEC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D7FFAE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D7FF13
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_06D7FC50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_06D76BB4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EB921C GetLocalTime,

0_2_02EB921C

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004195F8 GetUserNameW,

9_2_004195F8

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

9_2_004466BF

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EBB79C GetVersionExA,

0_2_02EBB79C

Source: C:\Windows\SysWOW64\SndVol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		9_2_0040A953
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		13_2_0040A953

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	9_2_0040AA71
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \key3.db	9_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	13_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	13_2_0040AA71

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\SndVol.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: cmd.exe		9_2_0040567A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe		13_2_0040567A

Windows Analysis Report
1m181Ru74o.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1562867
Product:	CloudBasic
Start time:	08:12:11
Start date:	26.11.2024
Sample:	1m181Ru74o.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	06a72ba35aaff1b3ab0ea4d3e2e65451
SHA1:	656564a2afc61d10e70d4833a0a57ef046709963
SHA256:	050736376a0870aea56e2faf90ea34aa7af231c7b2d3d209bcac91628eec77c9
Filetype:	Win32 Executable (generic) a (10002005/4) 99.38%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\remcos\logs.dat	data	87AC6E8061FFF1C052E0E2FFE768813E	94914C44970A48FFA9CE78AD23D56752CAE7D7AC	F1D964FFE3155DC3902E16CC91BCCACC3B24BE3D33F9CDB3DBB19D862FF8CE7E
C:\Users\Public\Libraries\Ntmftfld	data	53838C594C592447AEC53DF24B3F791E	835FDACF7E25A50FA8D50A4A7EEADD7636AF9441	C571BD5C83C953F47F816B51340FA80FEA1C42A3BE86FE46BDBE6D09B90C3864
C:\Users\Public\Libraries\Ntmftfld.PIF	PE32 executable (GUI) Intel 80386, for MS Windows	06A72BA35AAFF1B3AB0EA4D3E2E65451	656564A2AFC61D10E70D4833A0A57EF046709963	050736376A0870AEA56E2FAF90EA34AA7AF231C7B2D3D209BCAC91628EEC77C9
C:\Users\Public\Libraries\PNO	ASCII text, with CRLF line terminators	E65F6D7F08D9245461E19A296FBEA585	71CCBED1E7DC1F5A96E23C6CC44A8C113613A396	4C50D27C5031D7F039FE61DBD05B1E84B02D76786F79C569BE88AA04C95AA417
C:\Users\Public\Libraries\dlftfmtN.cmd	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators	B87F096CBC25570329E2BB59FEE57580	D281D1BF37B4FB46F90973AFC65EECE3908532B2	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
C:\Users\Public\Ntmftfld.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Ntmftfld.PIF">), ASCII text, with CRLF line terminators	00B20EA3B89920289D00BBFED5F93925	B2D420E9ED8ED0F59BAD3E1DF449EE5021CD57D5	CA681ABDE251C76FB4EE04A0BE65B52C871B553B0D73B3708DB8497DDA7A0F64
C:\Users\Public\alpha.pif	PE32 executable (console) Intel 80386, for MS Windows	D0FCE3AFA6AA1D58CE9FA336CC2B675B	4048488DE6BA4BFEF9EDF103755519F1F762668F	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
C:\Users\Public\xpha.pif	PE32 executable (console) Intel 80386, for MS Windows	B3624DD758CCECF93A1226CEF252CA12	FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7	4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	7D3929C5A67E312C1F8844AEC4438918	8CA674D1EFC50F67F6F68D2A9098BD5FBE95C8F6	E3D24E182D0888D5DF74D471AED8273C9CEEEA2F897144870BF8F36B5EB02B56
\Device\Null	ASCII text, with CRLF, CR line terminators	4D6C195EBA3736E57EF6A03F1EEEF490	237210C613550627B46D6D6AB82F396EACA3EA20	FF89C20795C881958044CCE205E8EBAE0CC028631ED1E354BEF0AF0C5BD23E3C

Windows Analysis Report 1m181Ru74o.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
1m181Ru74o.exe

Malware Threat Intel
Provided by