Windows Analysis Report
AWkpqJMxci.exe

Overview

General Information

Sample name: AWkpqJMxci.exe
renamed because original name is a hash value
Original sample name: 096394b733ca53e65afa06302776c52330f2567d665a42e0c5463fe23c523e62.exe
Analysis ID: 1562870
MD5: b4e2055b4877dcfcbf9a366106b15591
SHA1: 459f7b89e83d5be3581029dca3bb32d4c97d8156
SHA256: 096394b733ca53e65afa06302776c52330f2567d665a42e0c5463fe23c523e62
Tags: doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

Remcos, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses dynamic DNS services
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: AWkpqJMxci.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Avira: detection malicious, Label: TR/AD.Nekark.gwqnm
Found malware configuration
Source: AWkpqJMxci.exe Malware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0"]}
Source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["ogcmaw.duckdns.org:2404:0", "emberluck.duckdns.org:2500:0"], "Assigned name": "Ember Luck", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-SKG82E", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Bzaszylr.PIF ReversingLabs: Detection: 71%
Multi AV Scanner detection for submitted file
Source: AWkpqJMxci.exe ReversingLabs: Detection: 71%
Yara detected Remcos RAT
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.1910126332.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1911052257.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.5% probability
Machine Learning detection for dropped file
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Joe Sandbox ML: detected
Machine Learning detection for sample
Source: AWkpqJMxci.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046938C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 8_2_046938C8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 17_2_004338C8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_051545E3 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 17_2_051545E3
Source: colorcpl.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04667538 _wcslen,CoGetObject, 8_2_04667538
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00407538 _wcslen,CoGetObject, 17_2_00407538
Uses 32bit PE files
Source: AWkpqJMxci.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 142.250.181.33:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: AWkpqJMxci.exe, AWkpqJMxci.exe, 00000000.00000003.1666597559.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D605000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782458415.000000000238F000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D5CA000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000003.00000003.1762893892.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.1769159470.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000009.00000000.1774119719.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000000.1777848027.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000D.00000000.1873419118.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000E.00000002.1875239143.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1876616016.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.3.dr
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000004.00000003.1766895449.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 0000000B.00000002.1870542553.0000000000D11000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.4.dr
Source: Binary string: easinvoker.pdbH source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: AWkpqJMxci.exe, 00000000.00000003.1666597559.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D605000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782458415.000000000238F000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D5CA000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E668000.00000004.00000020.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E63F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000A.00000000.1777848027.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000D.00000000.1873419118.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000E.00000002.1875239143.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1876616016.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.3.dr
Source: Binary string: ping.pdb source: esentutl.exe, 00000004.00000003.1766895449.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 0000000B.00000002.1870542553.0000000000D11000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.4.dr
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02885908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02885908
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B10207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 5_2_00B10207
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B1589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 5_2_00B1589A
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B14EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 5_2_00B14EC1
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B23E66 FindFirstFileW,FindNextFileW,FindClose, 5_2_00B23E66
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B0532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 5_2_00B0532E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046696A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_046696A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_0466928E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0467C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 8_2_0467C322
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 8_2_0466C388
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 8_2_0466BD72
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04667877 FindFirstFileW,FindNextFileW, 8_2_04667877
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04668847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 8_2_04668847
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 8_2_0466BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04679B86 FindFirstFileW,FindNextFileW,FindNextFileW, 8_2_04679B86
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B1589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 10_2_00B1589A
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B10207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 10_2_00B10207
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B14EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 10_2_00B14EC1
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B23E66 FindFirstFileW,FindNextFileW,FindClose, 10_2_00B23E66
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B0532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 10_2_00B0532E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_0040928E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 17_2_0041C322
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 17_2_0040C388
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_004096A0
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 17_2_00408847
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00407877 FindFirstFileW,FindNextFileW, 17_2_00407877
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0040BB6B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, 17_2_00419B86
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0040BD72
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05128592 FindFirstFileW,FindNextFileW, 17_2_05128592
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0512A3BB __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_0512A3BB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0512C886 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0512C886
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0513A8A1 FindFirstFileW, 17_2_0513A8A1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0512CA8D FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0512CA8D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05129562 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 17_2_05129562
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0513D03D FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 17_2_0513D03D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0512D0A3 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 17_2_0512D0A3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05129FA9 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_05129FA9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04667CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 8_2_04667CD2

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49732 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49733 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49740 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49743 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49745 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49742 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49744 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49741 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49769 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49763 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49806 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49831 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49837 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49800 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49868 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49862 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49900 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49933 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49927 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49961 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49994 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49967 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50001 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49894 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50031 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50032 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50033 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50035 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50030 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50027 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50037 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50034 -> 162.216.243.15:2404
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50029 -> 192.169.69.26:2500
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50036 -> 162.216.243.15:2404
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0
Source: Malware configuration extractor URLs: ogcmaw.duckdns.org
Source: Malware configuration extractor URLs: emberluck.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: ogcmaw.duckdns.org
Source: unknown DNS query: name: emberluck.duckdns.org
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289E4B8 InternetCheckConnectionA, 0_2_0289E4B8
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49732 -> 162.216.243.15:2404
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View IP Address: 192.169.69.26 192.169.69.26
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WOWUS WOWUS
Source: Joe Sandbox View ASN Name: DYNUUS DYNUUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 142.250.181.33:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04664B96 WaitForSingleObject,SetEvent,recv, 8_2_04664B96
Source: global traffic HTTP traffic detected: GET /download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: ogcmaw.duckdns.org
Source: global traffic DNS traffic detected: DNS query: emberluck.duckdns.org
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: colorcpl.exe, SndVol.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: colorcpl.exe, 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: AWkpqJMxci.exe, AWkpqJMxci.exe, 00000000.00000002.1805021411.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.pmail.com
Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.0000000000785000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D65F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0
Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.00000000007A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0?
Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.00000000007AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com:443/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0x
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 142.250.181.33:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466A2F3 SetWindowsHookExA 0000000D,0466A2DF,00000000 8_2_0466A2F3
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466B749 OpenClipboard,GetClipboardData,CloseClipboard, 8_2_0466B749
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046768FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_046768FC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 17_2_004168FC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05137617 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 17_2_05137617
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466B749 OpenClipboard,GetClipboardData,CloseClipboard, 8_2_0466B749
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 8_2_0466A41B
Yara detected Keylogger Generic
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.1910126332.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1911052257.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0467CA73 SystemParametersInfoW, 8_2_0467CA73
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0041CA6D SystemParametersInfoW, 17_2_0041CA6D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0041CA73 SystemParametersInfoW, 17_2_0041CA73
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0513D788 SystemParametersInfoW, 17_2_0513D788
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0513D78E SystemParametersInfoW, 17_2_0513D78E

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289B118 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx, 0_2_0289B118
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02897A2C NtAllocateVirtualMemory, 0_2_02897A2C
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_0289DC8C
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_0289DC04
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02897D78 NtWriteVirtualMemory, 0_2_02897D78
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_0289DD70
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028984C8 NtProtectVirtualMemory, 0_2_028984C8
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02897A2A NtAllocateVirtualMemory, 0_2_02897A2A
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_0289DBB0
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02898D6E GetThreadContext,SetThreadContext,NtResumeThread, 0_2_02898D6E
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02898D70 GetThreadContext,SetThreadContext,NtResumeThread, 0_2_02898D70
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B164CA NtQueryInformationToken, 5_2_00B164CA
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B1643A NtOpenThreadToken,NtOpenProcessToken,NtClose, 5_2_00B1643A
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B14823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 5_2_00B14823
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B27460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 5_2_00B27460
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B2C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 5_2_00B2C1FA
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B2A135 NtSetInformationFile, 5_2_00B2A135
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B16500 NtQueryInformationToken,NtQueryInformationToken, 5_2_00B16500
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B04E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 5_2_00B04E3B
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B14759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 5_2_00B14759
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B164CA NtQueryInformationToken, 10_2_00B164CA
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B1643A NtOpenThreadToken,NtOpenProcessToken,NtClose, 10_2_00B1643A
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B14823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 10_2_00B14823
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B27460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 10_2_00B27460
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B2C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 10_2_00B2C1FA
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B2A135 NtSetInformationFile, 10_2_00B2A135
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B16500 NtQueryInformationToken,NtQueryInformationToken, 10_2_00B16500
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B04E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 10_2_00B04E3B
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B14759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 10_2_00B14759
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_0281B118 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx, 16_2_0281B118
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_02817A2C NtAllocateVirtualMemory, 16_2_02817A2C
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_0281DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose, 16_2_0281DD70
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_02817D78 NtWriteVirtualMemory, 16_2_02817D78
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_028184C8 NtProtectVirtualMemory, 16_2_028184C8
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_02817A2A NtAllocateVirtualMemory, 16_2_02817A2A
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_0281DBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 16_2_0281DBB0
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_0281DC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose, 16_2_0281DC8C
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_0281DC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 16_2_0281DC04
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_02818D6E Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next, 16_2_02818D6E
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_02818D70 Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next, 16_2_02818D70
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0513E33B NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 17_2_0513E33B
Contains functionality to communicate with device drivers
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B04C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z, 5_2_00B04C10
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028A8128 CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess, 0_2_028A8128
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046767EF ExitWindowsEx,LoadLibraryA,GetProcAddress, 8_2_046767EF
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress, 17_2_004167EF
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0513750A ExitWindowsEx,LoadLibraryA,GetProcAddress, 17_2_0513750A
Creates files inside the system directory
Source: C:\Users\Public\alpha.pif File created: C:\Windows Jump to behavior
Source: C:\Users\Public\alpha.pif File created: C:\Windows \SysWOW64 Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\Public\alpha.pif File deleted: C:\Windows \SysWOW64 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028820C4 0_2_028820C4
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028AE596 0_2_028AE596
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0288C95F 0_2_0288C95F
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B074B1 5_2_00B074B1
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B04C10 5_2_00B04C10
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B0540A 5_2_00B0540A
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B14875 5_2_00B14875
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B24191 5_2_00B24191
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B2695A 5_2_00B2695A
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B09144 5_2_00B09144
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B13EB3 5_2_00B13EB3
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B2769E 5_2_00B2769E
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B15A86 5_2_00B15A86
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B14EC1 5_2_00B14EC1
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B07A34 5_2_00B07A34
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B0EE03 5_2_00B0EE03
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B0D660 5_2_00B0D660
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B23E66 5_2_00B23E66
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B06E57 5_2_00B06E57
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B10BF0 5_2_00B10BF0
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B06B20 5_2_00B06B20
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B10740 5_2_00B10740
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0468742E 8_2_0468742E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04697566 8_2_04697566
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0469E5A8 8_2_0469E5A8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046987F0 8_2_046987F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0469706A 8_2_0469706A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04674005 8_2_04674005
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0469E11C 8_2_0469E11C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046981E8 8_2_046981E8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046B41D9 8_2_046B41D9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0467F18B 8_2_0467F18B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046A6270 8_2_046A6270
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0469E34B 8_2_0469E34B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046B33AB 8_2_046B33AB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04687C40 8_2_04687C40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04697DB3 8_2_04697DB3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04695EEB 8_2_04695EEB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0469DEED 8_2_0469DEED
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04686E9F 8_2_04686E9F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0469797E 8_2_0469797E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046939D7 8_2_046939D7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046ADA49 8_2_046ADA49
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04687AD7 8_2_04687AD7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0467DBF3 8_2_0467DBF3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_067346F2 8_2_067346F2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06738699 8_2_06738699
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0674E764 8_2_0674E764
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_067287F2 8_2_067287F2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0673950B 8_2_0673950B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0673F2C3 8_2_0673F2C3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06738281 8_2_06738281
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0673F066 8_2_0673F066
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_067540C6 8_2_067540C6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06728149 8_2_06728149
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0673EE37 8_2_0673EE37
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06738F03 8_2_06738F03
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06746F8B 8_2_06746F8B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06736C06 8_2_06736C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0673EC08 8_2_0673EC08
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06714D20 8_2_06714D20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06737D85 8_2_06737D85
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06738ACE 8_2_06738ACE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06727BBA 8_2_06727BBA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0672895B 8_2_0672895B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0671E90E 8_2_0671E90E
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B074B1 10_2_00B074B1
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B04C10 10_2_00B04C10
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B0540A 10_2_00B0540A
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B14875 10_2_00B14875
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B24191 10_2_00B24191
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B2695A 10_2_00B2695A
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B09144 10_2_00B09144
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B13EB3 10_2_00B13EB3
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B2769E 10_2_00B2769E
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B15A86 10_2_00B15A86
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B14EC1 10_2_00B14EC1
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B07A34 10_2_00B07A34
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B0EE03 10_2_00B0EE03
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B0D660 10_2_00B0D660
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B23E66 10_2_00B23E66
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B06E57 10_2_00B06E57
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B10BF0 10_2_00B10BF0
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B06B20 10_2_00B06B20
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B10740 10_2_00B10740
Source: C:\Users\Public\xpha.pif Code function: 11_2_00D11E26 11_2_00D11E26
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_028020C4 16_2_028020C4
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: 16_2_0280CA4F 16_2_0280CA4F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0043706A 17_2_0043706A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00414005 17_2_00414005
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0043E11C 17_2_0043E11C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_004541D9 17_2_004541D9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_004381E8 17_2_004381E8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0041F18B 17_2_0041F18B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00446270 17_2_00446270
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0043E34B 17_2_0043E34B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_004533AB 17_2_004533AB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0042742E 17_2_0042742E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00437566 17_2_00437566
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0043E5A8 17_2_0043E5A8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_004387F0 17_2_004387F0
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0043797E 17_2_0043797E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_004339D7 17_2_004339D7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0044DA49 17_2_0044DA49
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00427AD7 17_2_00427AD7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0041DBF3 17_2_0041DBF3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00427C40 17_2_00427C40
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00437DB3 17_2_00437DB3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00435EEB 17_2_00435EEB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0043DEED 17_2_0043DEED
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00426E9F 17_2_00426E9F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0516E764 17_2_0516E764
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_051487F2 17_2_051487F2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05158699 17_2_05158699
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_051546F2 17_2_051546F2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05148149 17_2_05148149
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_051740C6 17_2_051740C6
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05158281 17_2_05158281
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05134D20 17_2_05134D20
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05156C06 17_2_05156C06
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0515EC08 17_2_0515EC08
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05158F03 17_2_05158F03
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05166F8B 17_2_05166F8B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0515EE37 17_2_0515EE37
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0513E90E 17_2_0513E90E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0514895B 17_2_0514895B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05158ACE 17_2_05158ACE
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0515950B 17_2_0515950B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0515F066 17_2_0515F066
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0515F2C3 17_2_0515F2C3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05157D85 17_2_05157D85
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0513FEA6 17_2_0513FEA6
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05147BBA 17_2_05147BBA
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 0673551C appears 40 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04694E70 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04661E65 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 06702B80 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 06735B8B appears 53 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04694801 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04662093 appears 50 times
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: String function: 028046D4 appears 155 times
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: String function: 02804860 appears 683 times
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: String function: 0281894C appears 50 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 05155B8B appears 54 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00402093 appears 50 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 05122B80 appears 34 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00434801 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00401E65 appears 34 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00434E70 appears 54 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 0515551C appears 40 times
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: String function: 028846D4 appears 244 times
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: String function: 02884860 appears 949 times
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: String function: 02884500 appears 33 times
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: String function: 028844DC appears 74 times
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: String function: 0289894C appears 56 times
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: String function: 028989D0 appears 45 times
Sample file is different than original file name gathered from version info
Source: AWkpqJMxci.exe Binary or memory string: OriginalFilename vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E693000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E664000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000003.1666597559.000000007FBBF000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D605000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1805021411.000000007FB50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1782458415.00000000023DE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D5FA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D65F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
Uses 32bit PE files
Source: AWkpqJMxci.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@34/10@9/4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0467798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 8_2_0467798D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 17_2_0041798D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_051386A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 17_2_051386A8
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02887FD2 GetDiskFreeSpaceA, 0_2_02887FD2
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289AD98 CreateToolhelp32Snapshot, 0_2_0289AD98
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02896DC8 CoCreateInstance, 0_2_02896DC8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0467B539 FindResourceA,LoadResource,LockResource,SizeofResource, 8_2_0467B539
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0467AD09 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 8_2_0467AD09
Source: C:\Users\user\Desktop\AWkpqJMxci.exe File created: C:\Users\Public\Libraries\PNO Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03
Source: C:\Windows\SysWOW64\colorcpl.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-SKG82E
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AWkpqJMxci.exe ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\AWkpqJMxci.exe File read: C:\Users\user\Desktop\AWkpqJMxci.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\AWkpqJMxci.exe "C:\Users\user\Desktop\AWkpqJMxci.exe"
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rlyzsazB.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\AWkpqJMxci.exe /d C:\\Users\\Public\\Libraries\\Bzaszylr.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: unknown Process created: C:\Users\Public\Libraries\Bzaszylr.PIF "C:\Users\Public\Libraries\Bzaszylr.PIF"
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: unknown Process created: C:\Users\Public\Libraries\Bzaszylr.PIF "C:\Users\Public\Libraries\Bzaszylr.PIF"
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rlyzsazB.cmd" " Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\AWkpqJMxci.exe /d C:\\Users\\Public\\Libraries\\Bzaszylr.PIF /o Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\colorcpl.exe Window detected: Number of UI elements: 12
Source: AWkpqJMxci.exe Static file information: File size 1339392 > 1048576
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: AWkpqJMxci.exe, AWkpqJMxci.exe, 00000000.00000003.1666597559.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D605000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782458415.000000000238F000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D5CA000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000003.00000003.1762893892.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.1769159470.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000009.00000000.1774119719.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000000.1777848027.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000D.00000000.1873419118.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000E.00000002.1875239143.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1876616016.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.3.dr
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000004.00000003.1766895449.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 0000000B.00000002.1870542553.0000000000D11000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.4.dr
Source: Binary string: easinvoker.pdbH source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: AWkpqJMxci.exe, 00000000.00000003.1666597559.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D605000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782458415.000000000238F000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D5CA000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E668000.00000004.00000020.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E63F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000A.00000000.1777848027.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000D.00000000.1873419118.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000E.00000002.1875239143.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1876616016.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.3.dr
Source: Binary string: ping.pdb source: esentutl.exe, 00000004.00000003.1766895449.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 0000000B.00000002.1870542553.0000000000D11000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.4.dr

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 0.2.AWkpqJMxci.exe.2880000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.AWkpqJMxci.exe.238f278.2.unpack, type: UNPACKEDPE
Binary contains a suspicious time stamp
Source: alpha.pif.3.dr Static PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289894C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_0289894C
PE file contains sections with non-standard names
Source: alpha.pif.3.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028AD2FC push 028AD367h; ret 0_2_028AD35F
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028863AE push 0288640Bh; ret 0_2_02886403
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028863B0 push 0288640Bh; ret 0_2_02886403
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0288332C push eax; ret 0_2_02883368
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0288C349 push 8B0288C1h; ret 0_2_0288C34E
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028AC378 push 028AC56Eh; ret 0_2_028AC566
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028AD0AC push 028AD125h; ret 0_2_028AD11D
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289306B push 028930B9h; ret 0_2_028930B1
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289306C push 028930B9h; ret 0_2_028930B1
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028AD1F8 push 028AD288h; ret 0_2_028AD280
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289F108 push ecx; mov dword ptr [esp], edx 0_2_0289F10D
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028AD144 push 028AD1ECh; ret 0_2_028AD1E4
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02886782 push 028867C6h; ret 0_2_028867BE
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02886784 push 028867C6h; ret 0_2_028867BE
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0288D5A0 push 0288D5CCh; ret 0_2_0288D5C4
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0288C56C push ecx; mov dword ptr [esp], edx 0_2_0288C571
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028AC570 push 028AC56Eh; ret 0_2_028AC566
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02898AD8 push 02898B10h; ret 0_2_02898B08
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289AAE0 push 0289AB18h; ret 0_2_0289AB10
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_028F4A50 push eax; ret 0_2_028F4B20
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0288CBEC push 0288CD72h; ret 0_2_0288CD6A
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289886C push 028988AEh; ret 0_2_028988A6
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289790C push 02897989h; ret 0_2_02897981
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02896948 push 028969F3h; ret 0_2_028969EB
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02896946 push 028969F3h; ret 0_2_028969EB
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0288C95F push 0288CD72h; ret 0_2_0288CD6A
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02895E7C push ecx; mov dword ptr [esp], edx 0_2_02895E7E
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02892F60 push 02892FD6h; ret 0_2_02892FCE
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B171ED push ecx; ret 5_2_00B17200
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B1722B push ecx; ret 5_2_00B1723E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046B7186 push ecx; ret 8_2_046B7199

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Bzaszylr.PIF Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04666EEB ShellExecuteW,URLDownloadToFileW, 8_2_04666EEB
Drops PE files
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Bzaszylr.PIF Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0467AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 8_2_0467AADB
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bzaszylr Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bzaszylr Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0289AB1C
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466F7E2 Sleep,ExitProcess, 8_2_0466F7E2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0040F7E2 Sleep,ExitProcess, 17_2_0040F7E2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_051304FD Sleep,ExitProcess, 17_2_051304FD
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 8_2_0467A7D9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 17_2_0041A7D9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 17_2_0513B4F4
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\colorcpl.exe Window / User API: threadDelayed 662 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window / User API: threadDelayed 9320 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\Public\alpha.pif API coverage: 6.3 %
Source: C:\Users\Public\alpha.pif API coverage: 7.7 %
Source: C:\Windows\SysWOW64\SndVol.exe API coverage: 3.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1620 Thread sleep time: -1986000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1620 Thread sleep time: -27960000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\esentutl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\esentutl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\esentutl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\esentutl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\xpha.pif Last function: Thread delayed
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_02885908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02885908
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B10207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 5_2_00B10207
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B1589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 5_2_00B1589A
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B14EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 5_2_00B14EC1
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B23E66 FindFirstFileW,FindNextFileW,FindClose, 5_2_00B23E66
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B0532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 5_2_00B0532E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046696A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_046696A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_0466928E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0467C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 8_2_0467C322
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 8_2_0466C388
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 8_2_0466BD72
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04667877 FindFirstFileW,FindNextFileW, 8_2_04667877
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04668847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 8_2_04668847
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0466BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 8_2_0466BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04679B86 FindFirstFileW,FindNextFileW,FindNextFileW, 8_2_04679B86
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B1589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 10_2_00B1589A
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B10207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 10_2_00B10207
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B14EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 10_2_00B14EC1
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B23E66 FindFirstFileW,FindNextFileW,FindClose, 10_2_00B23E66
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B0532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 10_2_00B0532E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_0040928E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 17_2_0041C322
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 17_2_0040C388
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_004096A0
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 17_2_00408847
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00407877 FindFirstFileW,FindNextFileW, 17_2_00407877
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0040BB6B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, 17_2_00419B86
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0040BD72
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05128592 FindFirstFileW,FindNextFileW, 17_2_05128592
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0512A3BB __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_0512A3BB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0512C886 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0512C886
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0513A8A1 FindFirstFileW, 17_2_0513A8A1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0512CA8D FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0512CA8D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05129562 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 17_2_05129562
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0513D03D FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 17_2_0513D03D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0512D0A3 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 17_2_0512D0A3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05129FA9 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_05129FA9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04667CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 8_2_04667CD2
Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.000000000075B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.0000000000785000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWR
Source: xpha.pif, 0000000B.00000002.1870785987.000000000343B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.0000000000785000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: colorcpl.exe, 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: Bzaszylr.PIF, 00000014.00000002.1986625678.0000000000608000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: Bzaszylr.PIF, 00000010.00000002.1911607370.00000000007AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\AWkpqJMxci.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\colorcpl.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Bzaszylr.PIF API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent, 0_2_0289F744
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B22E37 IsDebuggerPresent, 5_2_00B22E37
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0289894C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_0289894C
Contains functionality to read the PEB
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B2C1FA mov eax, dword ptr fs:[00000030h] 5_2_00B2C1FA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046A3355 mov eax, dword ptr fs:[00000030h] 8_2_046A3355
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06701103 mov eax, dword ptr fs:[00000030h] 8_2_06701103
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06701103 mov eax, dword ptr fs:[00000030h] 8_2_06701103
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_06744070 mov eax, dword ptr fs:[00000030h] 8_2_06744070
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B2C1FA mov eax, dword ptr fs:[00000030h] 10_2_00B2C1FA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00443355 mov eax, dword ptr fs:[00000030h] 17_2_00443355
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05121103 mov eax, dword ptr fs:[00000030h] 17_2_05121103
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05121103 mov eax, dword ptr fs:[00000030h] 17_2_05121103
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05164070 mov eax, dword ptr fs:[00000030h] 17_2_05164070
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B0A9D4 GetEnvironmentStringsW,GetProcessHeap,RtlAllocateHeap,memcpy,FreeEnvironmentStringsW, 5_2_00B0A9D4
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B16EC0 SetUnhandledExceptionFilter, 5_2_00B16EC0
Source: C:\Users\Public\alpha.pif Code function: 5_2_00B16B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00B16B40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0469503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_0469503C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04694A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_04694A8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0469BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0469BB71
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04694BD8 SetUnhandledExceptionFilter, 8_2_04694BD8
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B16EC0 SetUnhandledExceptionFilter, 10_2_00B16EC0
Source: C:\Users\Public\alpha.pif Code function: 10_2_00B16B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00B16B40
Source: C:\Users\Public\xpha.pif Code function: 11_2_00D13470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00D13470
Source: C:\Users\Public\xpha.pif Code function: 11_2_00D13600 SetUnhandledExceptionFilter, 11_2_00D13600
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_0043503C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00434A8A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_0043BB71
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_00434BD8 SetUnhandledExceptionFilter, 17_2_00434BD8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_0515C88C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_0515C88C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_051557A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_051557A5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_05155D57 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_05155D57
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 17_2_051558F3 SetUnhandledExceptionFilter, 17_2_051558F3

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6700000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 5120000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6701617 Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 5121617 Jump to behavior
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6700000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Memory written: C:\Windows\SysWOW64\SndVol.exe base: 5120000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6700000 Jump to behavior
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Memory written: C:\Windows\SysWOW64\SndVol.exe base: 5120000 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 8_2_04672132
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 17_2_00412132
Contains functionality to simulate mouse events
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04679662 mouse_event, 8_2_04679662
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: colorcpl.exe, 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: colorcpl.exe, 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_04694CB6 cpuid 8_2_04694CB6
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02885ACC
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: GetLocaleInfoA, 0_2_0288A7C4
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02885BD8
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: GetLocaleInfoA, 0_2_0288A810
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 5_2_00B08572
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 5_2_00B06854
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 5_2_00B09310
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_046B24BC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 8_2_046A8484
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 8_2_046B25C3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_046B2690
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 8_2_046B201B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 8_2_046B20B6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_046B2143
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 8_2_046B2393
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 8_2_046B1D58
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 8_2_046B1FD0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 8_2_046A896D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoA, 8_2_0466F90C
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 10_2_00B08572
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 10_2_00B06854
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 10_2_00B09310
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 16_2_02805ACC
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 16_2_02805BD7
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Code function: GetLocaleInfoA, 16_2_0280A810
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 17_2_0045201B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 17_2_004520B6
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 17_2_00452143
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 17_2_00452393
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 17_2_00448484
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 17_2_004524BC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 17_2_004525C3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 17_2_00452690
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 17_2_0044896D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoA, 17_2_0040F90C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 17_2_00451D58
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 17_2_00451FD0
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoA, 17_2_05130627
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 17_2_05172D36
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 17_2_05172DD1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 17_2_05172CEB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 17_2_05172E5E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 17_2_05172A73
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 17_2_05169688
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 17_2_0516919F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 17_2_051731D7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 17_2_051730AE
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 17_2_051733AB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 17_2_051732DE
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0288920C GetLocalTime, 0_2_0288920C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0467B69E GetUserNameW, 8_2_0467B69E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_046A942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 8_2_046A942D
Source: C:\Users\user\Desktop\AWkpqJMxci.exe Code function: 0_2_0288B78C GetVersionExA, 0_2_0288B78C
Source: C:\Users\Public\Libraries\Bzaszylr.PIF Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: quhlpsvc.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgamsvr.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TMBMSRV.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Vsserv.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgupsvc.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgemc.exe
Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.1910126332.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1911052257.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 8_2_0466BA4D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 17_2_0040BA4D
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 8_2_0466BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: \key3.db 8_2_0466BB6B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 17_2_0040BB6B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \key3.db 17_2_0040BB6B

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\colorcpl.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-SKG82E Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-SKG82E
Yara detected Remcos RAT
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.1910126332.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1911052257.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: cmd.exe 8_2_0466569A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: cmd.exe 17_2_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562870 Sample: AWkpqJMxci.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 58 ogcmaw.duckdns.org 2->58 60 emberluck.duckdns.org 2->60 62 2 other IPs or domains 2->62 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 86 12 other signatures 2->86 9 AWkpqJMxci.exe 1 6 2->9         started        14 Bzaszylr.PIF 2->14         started        16 Bzaszylr.PIF 2->16         started        signatures3 84 Uses dynamic DNS services 60->84 process4 dnsIp5 68 drive.usercontent.google.com 142.250.181.33, 443, 49730, 49731 GOOGLEUS United States 9->68 48 C:\Users\Public\Libraries\rlyzsazB.cmd, DOS 9->48 dropped 50 C:\Users\Public\Libraries\Bzaszylr, data 9->50 dropped 52 C:\Users\Public\Bzaszylr.url, MS 9->52 dropped 102 Writes to foreign memory regions 9->102 104 Allocates memory in foreign processes 9->104 106 Creates a thread in another existing process (thread injection) 9->106 114 2 other signatures 9->114 18 colorcpl.exe 5 9->18         started        22 cmd.exe 1 9->22         started        24 esentutl.exe 2 9->24         started        108 Antivirus detection for dropped file 14->108 110 Multi AV Scanner detection for dropped file 14->110 112 Machine Learning detection for dropped file 14->112 27 SndVol.exe 14->27         started        29 colorcpl.exe 16->29         started        file6 signatures7 process8 dnsIp9 64 emberluck.duckdns.org 192.169.69.26, 2500, 49733, 49741 WOWUS United States 18->64 66 ogcmaw.duckdns.org 162.216.243.15, 2404, 49732, 49740 DYNUUS United States 18->66 88 Contains functionality to bypass UAC (CMSTPLUA) 18->88 90 Detected Remcos RAT 18->90 92 Contains functionalty to change the wallpaper 18->92 94 Contains functionality to register a low level keyboard hook 18->94 31 esentutl.exe 2 22->31         started        35 alpha.pif 1 22->35         started        37 esentutl.exe 2 22->37         started        41 6 other processes 22->41 46 C:\Users\Public\Libraries\Bzaszylr.PIF, PE32 24->46 dropped 39 conhost.exe 24->39         started        96 Contains functionality to steal Chrome passwords or cookies 27->96 98 Contains functionality to steal Firefox passwords or cookies 27->98 100 Delayed program exit found 27->100 file10 signatures11 process12 file13 54 C:\Users\Public\alpha.pif, PE32 31->54 dropped 72 Drops PE files to the user root directory 31->72 74 Drops PE files with a suspicious file extension 31->74 76 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 31->76 43 xpha.pif 1 35->43         started        56 C:\Users\Public\xpha.pif, PE32 37->56 dropped signatures14 process15 dnsIp16 70 127.0.0.1 unknown unknown 43->70
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.181.33
 drive.usercontent.google.com United States
15169 GOOGLEUS false
192.169.69.26
 emberluck.duckdns.org United States
23033 WOWUS true
162.216.243.15
 ogcmaw.duckdns.org United States
398019 DYNUUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
ogcmaw.duckdns.org 162.216.243.15 true
drive.usercontent.google.com 142.250.181.33 true
emberluck.duckdns.org 192.169.69.26 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
ogcmaw.duckdns.org true
  • Avira URL Cloud: safe
 unknown
https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0 false
    		high
    emberluck.duckdns.org true
    • Avira URL Cloud: safe
    		 unknown