Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 5_2_00559253 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0056C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, | 5_2_0056C291 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0055C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, | 5_2_0055C34D |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 5_2_00559665 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0059E879 FindFirstFileExA, | 5_2_0059E879 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0055880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, | 5_2_0055880C |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0055783C FindFirstFileW,FindNextFileW, | 5_2_0055783C |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00569AF5 FindFirstFileW,FindNextFileW,FindNextFileW, | 5_2_00569AF5 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0055BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, | 5_2_0055BB30 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0055BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, | 5_2_0055BD37 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://.inihttps://map/set |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://certificates.godaddy.com/repository/0 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://certs.godaddy.com/repository/1301 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://crl.globalsign.net/root.crl0 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://down.360safe.com/360zip_setup.exe360SysReset |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://down.360safe.com/setup.exeIsBetaVersion360ver.dllSOFTWARE |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe |
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/ |
Source: tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/; |
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gp |
Source: tu.exe, 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, tu.exe, 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, tu.exe, 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpJ |
Source: tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpK |
Source: tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpQ |
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpSystem32 |
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpT |
Source: tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpalF |
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gpl |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://ocsp.godaddy.com/0 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://ocsp.godaddy.com/05 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: https://certs.godaddy.com/repository/0 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: tu.exe, SentinelOne.exe.0.dr | String found in binary or memory: https://www.globalsign.com/repository/03 |
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0042B525 | 0_2_0042B525 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_004115E1 | 0_2_004115E1 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00412583 | 0_2_00412583 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00407010 | 0_2_00407010 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040E020 | 0_2_0040E020 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040E024 | 0_2_0040E024 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00455031 | 0_2_00455031 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00456160 | 0_2_00456160 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0044A29E | 0_2_0044A29E |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040D2A8 | 0_2_0040D2A8 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0043F34D | 0_2_0043F34D |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040E36C | 0_2_0040E36C |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0041236C | 0_2_0041236C |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0042B441 | 0_2_0042B441 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00428486 | 0_2_00428486 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_004124AF | 0_2_004124AF |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00455575 | 0_2_00455575 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0042A571 | 0_2_0042A571 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00440533 | 0_2_00440533 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040D608 | 0_2_0040D608 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00428613 | 0_2_00428613 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040D62D | 0_2_0040D62D |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040F695 | 0_2_0040F695 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00445732 | 0_2_00445732 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_004127ED | 0_2_004127ED |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040D7FF | 0_2_0040D7FF |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040F8F3 | 0_2_0040F8F3 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040D882 | 0_2_0040D882 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0042788F | 0_2_0042788F |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040D892 | 0_2_0040D892 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0042B8B9 | 0_2_0042B8B9 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00438950 | 0_2_00438950 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040F904 | 0_2_0040F904 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0042991A | 0_2_0042991A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00456924 | 0_2_00456924 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00429A53 | 0_2_00429A53 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00426A6B | 0_2_00426A6B |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040FA08 | 0_2_0040FA08 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0044CAB8 | 0_2_0044CAB8 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00438B4E | 0_2_00438B4E |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00429B6A | 0_2_00429B6A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00454B06 | 0_2_00454B06 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00459BC1 | 0_2_00459BC1 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00455BE0 | 0_2_00455BE0 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00407B90 | 0_2_00407B90 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0044EBBB | 0_2_0044EBBB |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00406D10 | 0_2_00406D10 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00455E5B | 0_2_00455E5B |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040DE67 | 0_2_0040DE67 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040CE0C | 0_2_0040CE0C |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040CE13 | 0_2_0040CE13 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040CE28 | 0_2_0040CE28 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00433E86 | 0_2_00433E86 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040CE87 | 0_2_0040CE87 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00403E90 | 0_2_00403E90 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00426E9F | 0_2_00426E9F |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040DF69 | 0_2_0040DF69 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00411F13 | 0_2_00411F13 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0040DFF6 | 0_2_0040DFF6 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00429FFD | 0_2_00429FFD |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040F002 | 5_2_0040F002 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00407010 | 5_2_00407010 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040D01B | 5_2_0040D01B |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040F023 | 5_2_0040F023 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00456160 | 5_2_00456160 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040D19C | 5_2_0040D19C |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004121AA | 5_2_004121AA |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040D2D3 | 5_2_0040D2D3 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0044A29E | 5_2_0044A29E |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040D2A8 | 5_2_0040D2A8 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004112B9 | 5_2_004112B9 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0043F34D | 5_2_0043F34D |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040D3EA | 5_2_0040D3EA |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004124AF | 5_2_004124AF |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00455575 | 5_2_00455575 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00440533 | 5_2_00440533 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040D678 | 5_2_0040D678 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040F695 | 5_2_0040F695 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00445732 | 5_2_00445732 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004127ED | 5_2_004127ED |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040D7FF | 5_2_0040D7FF |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004118D7 | 5_2_004118D7 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040D882 | 5_2_0040D882 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040D892 | 5_2_0040D892 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040F8B1 | 5_2_0040F8B1 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00438950 | 5_2_00438950 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040F904 | 5_2_0040F904 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00456924 | 5_2_00456924 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040FA08 | 5_2_0040FA08 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0044CAB8 | 5_2_0044CAB8 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00411ABC | 5_2_00411ABC |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00438B4E | 5_2_00438B4E |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00454B06 | 5_2_00454B06 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00459BC1 | 5_2_00459BC1 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00455BE0 | 5_2_00455BE0 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00407B90 | 5_2_00407B90 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0044EBBB | 5_2_0044EBBB |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00406D10 | 5_2_00406D10 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040EE49 | 5_2_0040EE49 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00455E5B | 5_2_00455E5B |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00433E86 | 5_2_00433E86 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00403E90 | 5_2_00403E90 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00410E9D | 5_2_00410E9D |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00411F57 | 5_2_00411F57 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0040EF70 | 5_2_0040EF70 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00411F0D | 5_2_00411F0D |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0058E0CC | 5_2_0058E0CC |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0056F0FA | 5_2_0056F0FA |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_005A4159 | 5_2_005A4159 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00588168 | 5_2_00588168 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_005961F0 | 5_2_005961F0 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0058E2FB | 5_2_0058E2FB |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_005A332B | 5_2_005A332B |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0057739D | 5_2_0057739D |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_005874E6 | 5_2_005874E6 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0058E558 | 5_2_0058E558 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00588770 | 5_2_00588770 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_005878FE | 5_2_005878FE |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00583946 | 5_2_00583946 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0059D9C9 | 5_2_0059D9C9 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00577A46 | 5_2_00577A46 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0056DB62 | 5_2_0056DB62 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00577BAF | 5_2_00577BAF |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00587D33 | 5_2_00587D33 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00585E5E | 5_2_00585E5E |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00576E0E | 5_2_00576E0E |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0058DE9D | 5_2_0058DE9D |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00563FCA | 5_2_00563FCA |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00586FEA | 5_2_00586FEA |
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: k7rn7l32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: ntd3ll.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: d3d9.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: dwmapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: d3d10warp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: rstrtmgr.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00403180 push ecx; mov dword ptr [esp], 00000000h | 0_2_00403181 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00432321 push ecx; ret | 0_2_00432334 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00403400 push ecx; mov dword ptr [esp], 00000000h | 0_2_00403401 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004140D0 push ecx; retf | 5_2_004140A5 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004140A6 push ecx; retf | 5_2_004140A5 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004140BB push ecx; retf | 5_2_004140C1 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00403180 push ecx; mov dword ptr [esp], 00000000h | 5_2_00403181 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004152A0 push edi; retf | 5_2_0041537A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00417356 push ecx; retf | 5_2_0041750A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0041537B push edi; retf | 5_2_0041537A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00432321 push ecx; ret | 5_2_00432334 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00415390 push edi; retf | 5_2_0041537A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0041539E push edi; retf | 5_2_0041537A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00403400 push ecx; mov dword ptr [esp], 00000000h | 5_2_00403401 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00415432 push edi; retf | 5_2_0041543F |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004154D3 push edi; retf | 5_2_00415512 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0041750B push ecx; retf | 5_2_0041750A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00417535 push ecx; retf | 5_2_0041750A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0041E630 push ecx; retf | 5_2_0041E631 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004136EA push ecx; retf | 5_2_00413729 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00413746 push ecx; retf | 5_2_00413729 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00418711 push ecx; retf | 5_2_004188C7 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0041372A push ecx; retf | 5_2_00413729 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004137D3 push edi; retf | 5_2_004137E0 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004137BE push esp; retf | 5_2_004137D2 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00413840 push ecx; retf | 5_2_00413851 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00413867 push edi; retf | 5_2_0041386D |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004188C8 push ecx; retf | 5_2_004188C7 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_004188F2 push ecx; retf | 5_2_004188C7 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00415A8C push ecx; retf | 5_2_00415A92 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00415AA8 push ecx; retf | 5_2_00415AAE |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 5_2_00559253 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0056C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, | 5_2_0056C291 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0055C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, | 5_2_0055C34D |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 5_2_00559665 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0059E879 FindFirstFileExA, | 5_2_0059E879 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0055880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, | 5_2_0055880C |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0055783C FindFirstFileW,FindNextFileW, | 5_2_0055783C |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00569AF5 FindFirstFileW,FindNextFileW,FindNextFileW, | 5_2_00569AF5 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0055BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, | 5_2_0055BB30 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0055BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, | 5_2_0055BD37 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_0042F43A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00430B49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_00430B49 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00414B51 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_00414B51 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 0_2_00435C77 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00435C77 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 5_2_0042F43A |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00430B49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 5_2_00430B49 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00435C77 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 5_2_00435C77 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_005849F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 5_2_005849F9 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00584B47 SetUnhandledExceptionFilter, | 5_2_00584B47 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_0058BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 5_2_0058BB22 |
Source: C:\Users\user\Desktop\tu.exe | Code function: 5_2_00584FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 5_2_00584FDC |
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program Manager |
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program ManagerC5\08 |
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program ManagerC5\D |
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program ManagerQ |
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program ManagerC5\ |
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program Manager_ |
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: |Program Manager| |
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program ManagerC5\2V |
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program ManagerC5\2 |
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program ManagerC5\25 |
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program Manager9 |
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.dr | Binary or memory string: [Program Manager] |
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program ManagerC5\54 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoA, | 0_2_00454050 |
Source: C:\Users\user\Desktop\tu.exe | Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, | 0_2_0044B1C1 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoA, | 0_2_0045322C |
Source: C:\Users\user\Desktop\tu.exe | Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, | 0_2_0044B2AE |
Source: C:\Users\user\Desktop\tu.exe | Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, | 0_2_004492AE |
Source: C:\Users\user\Desktop\tu.exe | Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, | 0_2_0044B351 |
Source: C:\Users\user\Desktop\tu.exe | Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, | 0_2_0044B315 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, | 0_2_0044845E |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoW, | 0_2_00448411 |
Source: C:\Users\user\Desktop\tu.exe | Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, | 0_2_0044842A |
Source: C:\Users\user\Desktop\tu.exe | Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, | 0_2_00449539 |
Source: C:\Users\user\Desktop\tu.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, | 0_2_0044859D |
Source: C:\Users\user\Desktop\tu.exe | Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, | 0_2_004497FF |
Source: C:\Users\user\Desktop\tu.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, | 0_2_00448C0D |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, | 0_2_0044ADCC |
Source: C:\Users\user\Desktop\tu.exe | Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, | 0_2_00435DAF |
Source: C:\Users\user\Desktop\tu.exe | Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, | 0_2_0044AEE3 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, | 0_2_0044AF7B |
Source: C:\Users\user\Desktop\tu.exe | Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, | 0_2_0044AFEF |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoA, | 5_2_00454050 |
Source: C:\Users\user\Desktop\tu.exe | Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, | 5_2_0044B1C1 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoA, | 5_2_0045322C |
Source: C:\Users\user\Desktop\tu.exe | Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, | 5_2_0044B2AE |
Source: C:\Users\user\Desktop\tu.exe | Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, | 5_2_004492AE |
Source: C:\Users\user\Desktop\tu.exe | Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, | 5_2_0044B351 |
Source: C:\Users\user\Desktop\tu.exe | Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, | 5_2_0044B315 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, | 5_2_0044845E |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoW, | 5_2_00448411 |
Source: C:\Users\user\Desktop\tu.exe | Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, | 5_2_0044842A |
Source: C:\Users\user\Desktop\tu.exe | Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, | 5_2_00449539 |
Source: C:\Users\user\Desktop\tu.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, | 5_2_0044859D |
Source: C:\Users\user\Desktop\tu.exe | Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, | 5_2_004497FF |
Source: C:\Users\user\Desktop\tu.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, | 5_2_00448C0D |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, | 5_2_0044ADCC |
Source: C:\Users\user\Desktop\tu.exe | Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, | 5_2_00435DAF |
Source: C:\Users\user\Desktop\tu.exe | Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, | 5_2_0044AEE3 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, | 5_2_0044AF7B |
Source: C:\Users\user\Desktop\tu.exe | Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, | 5_2_0044AFEF |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoA, | 5_2_0055F8D1 |
Source: C:\Users\user\Desktop\tu.exe | Code function: EnumSystemLocalesW, | 5_2_005A2036 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, | 5_2_005A20C3 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoW, | 5_2_005A2313 |
Source: C:\Users\user\Desktop\tu.exe | Code function: EnumSystemLocalesW, | 5_2_00598404 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, | 5_2_005A243C |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoW, | 5_2_005A2543 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, | 5_2_005A2610 |
Source: C:\Users\user\Desktop\tu.exe | Code function: GetLocaleInfoW, | 5_2_005988ED |
Source: C:\Users\user\Desktop\tu.exe | Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, | 5_2_005A1CD8 |
Source: C:\Users\user\Desktop\tu.exe | Code function: EnumSystemLocalesW, | 5_2_005A1F50 |
Source: C:\Users\user\Desktop\tu.exe | Code function: EnumSystemLocalesW, | 5_2_005A1F9B |