Windows Analysis Report
XY2I8rWLkM.exe

Overview

General Information

Sample name: XY2I8rWLkM.exe
renamed because original name is a hash value
Original sample name: 29af19382bdeadee6d93b98f354e703d.exe
Analysis ID: 1428364
MD5: 29af19382bdeadee6d93b98f354e703d
SHA1: 3d38885812aa0c910025d86e05287600c745f5c8
SHA256: 8a005601e52341e8aff3c95cf30f4ede6b874d2b7e6ffdb9afda9425733fc5d7
Tags: exeRATRemcosRAT
Infos:

Detection

Remcos, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Creation with Colorcpl
Uses dynamic DNS services
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C URL Reputation: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\Public\Libraries\netutils.dll Avira: detection malicious, Label: TR/AVI.Agent.rqsyc
Found malware configuration
Source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "jantis.duckdns.org:1188:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-TALGAI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Ocihlomc.PIF ReversingLabs: Detection: 52%
Source: C:\Users\Public\Libraries\netutils.dll ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: XY2I8rWLkM.exe ReversingLabs: Detection: 52%
Yara detected Remcos RAT
Source: Yara match File source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2153175404.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\ffrrdds\logs.dat, type: DROPPED
Machine Learning detection for dropped file
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Joe Sandbox ML: detected
Machine Learning detection for sample
Source: XY2I8rWLkM.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04693837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 5_2_04693837
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C663837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 8_2_1C663837
Source: colorcpl.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046674FD _wcslen,CoGetObject, 5_2_046674FD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C6374FD _wcslen,CoGetObject, 8_2_1C6374FD
Uses 32bit PE files
Source: XY2I8rWLkM.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source: Binary string: easinvoker.pdbH source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2037895391.0000000014C50000.00000004.00000020.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028A58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_028A58CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04669665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 5_2_04669665
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04669253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 5_2_04669253
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0467C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 5_2_0467C291
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 5_2_0466C34D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 5_2_0466BD37
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046AE879 FindFirstFileExA, 5_2_046AE879
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466783C FindFirstFileW,FindNextFileW, 5_2_0466783C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 5_2_0466880C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04679AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 5_2_04679AF5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 5_2_0466BB30
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 8_2_1C63BD37
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C67E879 FindFirstFileExA, 8_2_1C67E879
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63783C FindFirstFileW,FindNextFileW, 8_2_1C63783C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 8_2_1C63880C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C649AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 8_2_1C649AF5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 8_2_1C63BB30
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C639665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_1C639665
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C639253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_1C639253
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C64C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 8_2_1C64C291
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 8_2_1C63C34D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04667C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 5_2_04667C97

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.5:49707 -> 103.186.117.171:1188
Source: Traffic Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 103.186.117.171:1188 -> 192.168.2.5:49707
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: jantis.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: jantis.duckdns.org
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028BC8AC InternetCheckConnectionA, 0_2_028BC8AC
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 103.186.117.171:1188
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /download?resid=38773C188FECDED2%21107&authkey=!APdTZ0yd8fEkIVs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0467B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 5_2_0467B380
Source: global traffic HTTP traffic detected: GET /download?resid=38773C188FECDED2%21107&authkey=!APdTZ0yd8fEkIVs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: colorcpl.exe, 00000005.00000003.2049864957.000000000046A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.000000000045F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: colorcpl.exe, 00000005.00000003.2049864957.000000000046A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.000000000045F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/#Y
Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.000000000045F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.00000000003E4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: colorcpl.exe, 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpJ6
Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpX
Source: colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpc6
Source: colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpm6
Source: colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp~6
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.pmail.com
Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gjc1pa.dm.files.1drv.com/
Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gjc1pa.dm.files.1drv.com/y4m5jEZDAORJUhy5vxdvGivD8AK7KXuBMHd6mI9R-9NoISk9eoRi5CGeKvx95WShCc-
Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gjc1pa.dm.files.1drv.com/y4mpj9fRwfOnuyzM7YwI58jRvZ-dYfMjomP1KUnTARA567zRfUcLOtOoq9VQbjgVxqr
Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gjc1pa.dm.files.1drv.com:443/y4m5jEZDAORJUhy5vxdvGivD8AK7KXuBMHd6mI9R-9NoISk9eoRi5CGeKvx95WS
Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://live.com/
Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.000000000078A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/J
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013C40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/download?resid=38773C188FECDED2%21107&authkey=
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49705 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466A2B8 SetWindowsHookExA 0000000D,0466A2A4,00000000 5_2_0466A2B8
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466B70E OpenClipboard,GetClipboardData,CloseClipboard, 5_2_0466B70E
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046768C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_046768C1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C6468C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_1C6468C1
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466B70E OpenClipboard,GetClipboardData,CloseClipboard, 5_2_0466B70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 5_2_0466A3E0

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2153175404.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\ffrrdds\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0467C9E2 SystemParametersInfoW, 5_2_0467C9E2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C64C9E2 SystemParametersInfoW, 8_2_1C64C9E2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\Public\Libraries\OcihlomcO.bat, type: DROPPED Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
PE file contains section with special chars
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\colorcpl.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028BC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_028BC3F8
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028BC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_028BC368
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028BA1C0 GetModuleHandleW,GetProcAddress,NtOpenProcess,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,NtWriteVirtualMemory,GetModuleHandleW,GetProcAddress,NtCreateThreadEx,CloseHandle, 0_2_028BA1C0
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028BC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_028BC4DC
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_028B7AC0
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 0_2_028B7968
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028BC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_028BC3F6
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B79FC GetModuleHandleW,GetProcAddress,NtProtectVirtualMemory, 0_2_028B79FC
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 0_2_028B7966
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B7F48 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread, 0_2_028B7F48
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B7F46 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread, 0_2_028B7F46
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Code function: 7_2_02AFA1C0 NtOpenProcess,NtWriteVirtualMemory,NtCreateThreadEx, 7_2_02AFA1C0
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Code function: 7_2_02AFC4DC NtOpenFile,NtReadFile, 7_2_02AFC4DC
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Code function: 7_2_02AF7968 NtAllocateVirtualMemory, 7_2_02AF7968
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Code function: 7_2_02AF79FC NtProtectVirtualMemory, 7_2_02AF79FC
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Code function: 7_2_02AF7966 NtAllocateVirtualMemory, 7_2_02AF7966
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028BCA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle, 0_2_028BCA6C
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046767B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 5_2_046767B4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C6467B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 8_2_1C6467B4
Detected potential crypto function
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028A20C4 0_2_028A20C4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046974E6 5_2_046974E6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0469E558 5_2_0469E558
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04698770 5_2_04698770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0467F0FA 5_2_0467F0FA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0469E0CC 5_2_0469E0CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04698168 5_2_04698168
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046B4159 5_2_046B4159
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046A61F0 5_2_046A61F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0469E2FB 5_2_0469E2FB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046B332B 5_2_046B332B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0468739D 5_2_0468739D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04697D33 5_2_04697D33
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04695E5E 5_2_04695E5E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04686E0E 5_2_04686E0E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0469DE9D 5_2_0469DE9D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04696FEA 5_2_04696FEA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04673FCA 5_2_04673FCA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046978FE 5_2_046978FE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04693946 5_2_04693946
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046AD9C9 5_2_046AD9C9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04687A46 5_2_04687A46
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0467DB62 5_2_0467DB62
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04687BAF 5_2_04687BAF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06714652 5_2_06714652
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0671860A 5_2_0671860A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0672E6D5 5_2_0672E6D5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06708752 5_2_06708752
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0671947C 5_2_0671947C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0671F264 5_2_0671F264
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06734037 5_2_06734037
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0671F007 5_2_0671F007
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_067080A9 5_2_067080A9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_067181F2 5_2_067181F2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06718E74 5_2_06718E74
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06734E65 5_2_06734E65
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_066FFE06 5_2_066FFE06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06726EFC 5_2_06726EFC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06717CF6 5_2_06717CF6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_066F4CD6 5_2_066F4CD6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0671EDD8 5_2_0671EDD8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06718A3F 5_2_06718A3F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06716B6A 5_2_06716B6A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06707B1A 5_2_06707B1A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0671EBA9 5_2_0671EBA9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_066FE86E 5_2_066FE86E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_067088BB 5_2_067088BB
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Code function: 7_2_02AE20C4 7_2_02AE20C4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_0486947C 8_2_0486947C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_0487E6D5 8_2_0487E6D5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_0486860A 8_2_0486860A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04864652 8_2_04864652
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04858752 8_2_04858752
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_048580A9 8_2_048580A9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_0486F007 8_2_0486F007
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04884037 8_2_04884037
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_048681F2 8_2_048681F2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_0486F264 8_2_0486F264
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04844CD6 8_2_04844CD6
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04867CF6 8_2_04867CF6
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_0486EDD8 8_2_0486EDD8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04876EFC 8_2_04876EFC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_0484FE06 8_2_0484FE06
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04884E65 8_2_04884E65
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04868E74 8_2_04868E74
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_048588BB 8_2_048588BB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_0484E86E 8_2_0484E86E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04868A3F 8_2_04868A3F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_0486EBA9 8_2_0486EBA9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04857B1A 8_2_04857B1A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04866B6A 8_2_04866B6A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C667D33 8_2_1C667D33
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C665E5E 8_2_1C665E5E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C656E0E 8_2_1C656E0E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C66DE9D 8_2_1C66DE9D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C666FEA 8_2_1C666FEA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C643FCA 8_2_1C643FCA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C6678FE 8_2_1C6678FE
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C663946 8_2_1C663946
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C67D9C9 8_2_1C67D9C9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C657A46 8_2_1C657A46
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C64DB62 8_2_1C64DB62
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C657BAF 8_2_1C657BAF
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C6674E6 8_2_1C6674E6
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C66E558 8_2_1C66E558
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C6686E8 8_2_1C6686E8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C668770 8_2_1C668770
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C64F0FA 8_2_1C64F0FA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C66E0CC 8_2_1C66E0CC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C668168 8_2_1C668168
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C684159 8_2_1C684159
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C6761F0 8_2_1C6761F0
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C66E2FB 8_2_1C66E2FB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C68332B 8_2_1C68332B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C65739D 8_2_1C65739D
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\Ocihlomc.PIF 8A005601E52341E8AFF3C95CF30F4EDE6B874D2B7E6FFDB9AFDA9425733FC5D7
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\netutils.dll A692D4305B95E57E2CFC871D53A41A5BFC9E306CB1A86CA1159DB4F469598714
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: String function: 028A6658 appears 32 times
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: String function: 028B7BE8 appears 45 times
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: String function: 028A4698 appears 247 times
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: String function: 028A4824 appears 882 times
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: String function: 028A44A0 appears 67 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04694770 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04694E10 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04661E65 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 0671547C appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 066E2B71 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 06715B1C appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04662093 appears 50 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 1C631E65 appears 34 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 1C664770 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 1C664E10 appears 54 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 04832B71 appears 34 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 04865B1C appears 54 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 0486547C appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 1C632093 appears 50 times
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Code function: String function: 02AE6658 appears 32 times
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Code function: String function: 02AE4698 appears 156 times
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Code function: String function: 02AE4824 appears 628 times
PE file contains more sections than normal
Source: netutils.dll.0.dr Static PE information: Number of sections : 19 > 10
Sample file is different than original file name gathered from version info
Source: XY2I8rWLkM.exe Binary or memory string: OriginalFilename vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000002.2037895391.0000000014C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs XY2I8rWLkM.exe
Source: XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs XY2I8rWLkM.exe
Uses 32bit PE files
Source: XY2I8rWLkM.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\OcihlomcO.bat, type: DROPPED Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@16/11@4/3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04677952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 5_2_04677952
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C647952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 8_2_1C647952
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028A7F8E GetDiskFreeSpaceA, 0_2_028A7F8E
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B9E10 CreateToolhelp32Snapshot, 0_2_028B9E10
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B6D84 CoCreateInstance, 0_2_028B6D84
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0467B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 5_2_0467B4A8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0467AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 5_2_0467AC78
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe File created: C:\Users\Public\Libraries\Null Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
Source: C:\Windows\SysWOW64\SndVol.exe Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Windows\SysWOW64\colorcpl.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-TALGAI
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\OcihlomcO.bat" "
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: XY2I8rWLkM.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe File read: C:\Users\user\Desktop\XY2I8rWLkM.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\XY2I8rWLkM.exe "C:\Users\user\Desktop\XY2I8rWLkM.exe"
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\OcihlomcO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\XY2I8rWLkM.exe C:\\Users\\Public\\Libraries\\Ocihlomc.PIF
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\Public\Libraries\Ocihlomc.PIF "C:\Users\Public\Libraries\Ocihlomc.PIF"
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: unknown Process created: C:\Users\Public\Libraries\Ocihlomc.PIF "C:\Users\Public\Libraries\Ocihlomc.PIF"
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\OcihlomcO.bat" " Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\XY2I8rWLkM.exe C:\\Users\\Public\\Libraries\\Ocihlomc.PIF Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: eamsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ???y.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ???y.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ???y.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\colorcpl.exe Window detected: Number of UI elements: 12
Source: XY2I8rWLkM.exe Static file information: File size 2200064 > 1048576
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source: Binary string: easinvoker.pdbH source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2037895391.0000000014C50000.00000004.00000020.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 0.2.XY2I8rWLkM.exe.28a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.XY2I8rWLkM.exe.228a9b8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.XY2I8rWLkM.exe.228a9b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2154857966.0000000002AE1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2212258273.00000000029B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_028B7AC0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .
PE file contains an invalid checksum
Source: netutils.dll.0.dr Static PE information: real checksum: 0x2c00d should be: 0x1f08e
Source: XY2I8rWLkM.exe Static PE information: real checksum: 0x0 should be: 0x224133
Source: Ocihlomc.PIF.4.dr Static PE information: real checksum: 0x0 should be: 0x224133
PE file contains sections with non-standard names
Source: easinvoker.exe.0.dr Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: /4
Source: netutils.dll.0.dr Static PE information: section name: /19
Source: netutils.dll.0.dr Static PE information: section name: /31
Source: netutils.dll.0.dr Static PE information: section name: /45
Source: netutils.dll.0.dr Static PE information: section name: /57
Source: netutils.dll.0.dr Static PE information: section name: /70
Source: netutils.dll.0.dr Static PE information: section name: /81
Source: netutils.dll.0.dr Static PE information: section name: /92
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028CA2F4 push 028CA35Fh; ret 0_2_028CA357
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028A32F0 push eax; ret 0_2_028A332C
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028BD20C push ecx; mov dword ptr [esp], edx 0_2_028BD211
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028A6372 push 028A63CFh; ret 0_2_028A63C7
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028A6374 push 028A63CFh; ret 0_2_028A63C7
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028CA0AC push 028CA125h; ret 0_2_028CA11D
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B3028 push 028B3075h; ret 0_2_028B306D
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B3027 push 028B3075h; ret 0_2_028B306D
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028CA1F8 push 028CA288h; ret 0_2_028CA280
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028CA144 push 028CA1ECh; ret 0_2_028CA1E4
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028A673E push 028A6782h; ret 0_2_028A677A
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028A6740 push 028A6782h; ret 0_2_028A677A
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028AC528 push ecx; mov dword ptr [esp], edx 0_2_028AC52D
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028AD55C push 028AD588h; ret 0_2_028AD580
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028ACBA8 push 028ACD2Eh; ret 0_2_028ACD26
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B9B58 push 028B9B90h; ret 0_2_028B9B88
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028C9B58 push 028C9D76h; ret 0_2_028C9D6E
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B78C8 push 028B7945h; ret 0_2_028B793D
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028AC8D6 push 028ACD2Eh; ret 0_2_028ACD26
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B6902 push 028B69AFh; ret 0_2_028B69A7
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B6904 push 028B69AFh; ret 0_2_028B69A7
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B5E38 push ecx; mov dword ptr [esp], edx 0_2_028B5E3A
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028CDF18 push eax; ret 0_2_028CDFE8
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B2F1C push 028B2F92h; ret 0_2_028B2F8A
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B7CA8 push 028B7CE0h; ret 0_2_028B7CD8
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B7CA6 push 028B7CE0h; ret 0_2_028B7CD8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046BE54D push esi; ret 5_2_046BE556
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046BB0F2 push esp; ret 5_2_046BB141
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046BB142 pushad ; ret 5_2_046BB151
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046B7106 push ecx; ret 5_2_046B7119
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04694E56 push ecx; ret 5_2_04694E69

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\extrac32.exe File created: C:\Users\Public\Libraries\Ocihlomc.PIF Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04666EB0 ShellExecuteW,URLDownloadToFileW, 5_2_04666EB0
Drops PE files
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe File created: C:\Users\Public\Libraries\easinvoker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe File created: C:\Users\Public\Libraries\Ocihlomc.PIF Jump to dropped file
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe File created: C:\Users\Public\Libraries\netutils.dll Jump to dropped file
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0467AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 5_2_0467AA4A
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ocihlomc Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ocihlomc Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B9B94 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_028B9B94
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466F7A7 Sleep,ExitProcess, 5_2_0466F7A7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63F7A7 Sleep,ExitProcess, 8_2_1C63F7A7
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 5_2_0467A748
Source: C:\Windows\SysWOW64\SndVol.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 8_2_1C64A748
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\colorcpl.exe Window / User API: threadDelayed 6723 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window / User API: threadDelayed 2913 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window / User API: foregroundWindowGot 1753 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\SndVol.exe API coverage: 6.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 5508 Thread sleep time: -74500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4040 Thread sleep time: -20169000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4040 Thread sleep time: -8739000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028A58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_028A58CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04669665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 5_2_04669665
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04669253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 5_2_04669253
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0467C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 5_2_0467C291
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 5_2_0466C34D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 5_2_0466BD37
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046AE879 FindFirstFileExA, 5_2_046AE879
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466783C FindFirstFileW,FindNextFileW, 5_2_0466783C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 5_2_0466880C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04679AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 5_2_04679AF5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0466BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 5_2_0466BB30
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 8_2_1C63BD37
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C67E879 FindFirstFileExA, 8_2_1C67E879
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63783C FindFirstFileW,FindNextFileW, 8_2_1C63783C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 8_2_1C63880C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C649AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 8_2_1C649AF5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 8_2_1C63BB30
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C639665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_1C639665
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C639253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_1C639253
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C64C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 8_2_1C64C291
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C63C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 8_2_1C63C34D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04667C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 5_2_04667C97
Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWYV
Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.000000000078A000.00000004.00000020.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.0000000000475000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.0000000000475000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Ocihlomc.PIF, 00000007.00000002.2150286434.000000000089A000.00000004.00000020.00020000.00000000.sdmp, Ocihlomc.PIF, 0000000A.00000002.2210707182.0000000000991000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\colorcpl.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046949F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_046949F9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028B7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_028B7AC0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046A32B5 mov eax, dword ptr fs:[00000030h] 5_2_046A32B5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_066E1179 mov eax, dword ptr fs:[00000030h] 5_2_066E1179
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_066E1179 mov eax, dword ptr fs:[00000030h] 5_2_066E1179
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_06723FC1 mov eax, dword ptr fs:[00000030h] 5_2_06723FC1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04831179 mov eax, dword ptr fs:[00000030h] 8_2_04831179
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04831179 mov eax, dword ptr fs:[00000030h] 8_2_04831179
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_04873FC1 mov eax, dword ptr fs:[00000030h] 8_2_04873FC1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C6732B5 mov eax, dword ptr fs:[00000030h] 8_2_1C6732B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04672077 GetProcessHeap,HeapFree, 5_2_04672077
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04694FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_04694FDC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046949F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_046949F9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04694B47 SetUnhandledExceptionFilter, 5_2_04694B47
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0469BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0469BB22
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C664FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_1C664FDC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C6649F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_1C6649F9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C664B47 SetUnhandledExceptionFilter, 8_2_1C664B47
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 8_2_1C66BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_1C66BB22

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 66E0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 4830000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 66E15CF Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 48315CF Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 66E0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Memory written: C:\Windows\SysWOW64\SndVol.exe base: 4830000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 66E0000 Jump to behavior
Source: C:\Users\Public\Libraries\Ocihlomc.PIF Memory written: C:\Windows\SysWOW64\SndVol.exe base: 4830000 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 5_2_046720F7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 8_2_1C6420F7
Contains functionality to simulate mouse events
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04679627 mouse_event, 5_2_04679627
Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerAI\184f
Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerJ6
Source: colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerAI\
Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerm6
Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager96ca
Source: colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerAI\26
Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000448000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerlc6
Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.dr Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_04694C52 cpuid 5_2_04694C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 0_2_028BD5D0
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_028A5A90
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 0_2_028C5FA0
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: GetLocaleInfoA, 0_2_028AA780
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: GetLocaleInfoA, 0_2_028AA7CC
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_028A5B9C
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 0_2_028BD5D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_046B243C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 5_2_046A8404
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 5_2_046B2543
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_046B2610
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 5_2_046B2036
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_046B20C3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 5_2_046B2313
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 5_2_046B1CD8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 5_2_046B1F50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 5_2_046B1F9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 5_2_046A88ED
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoA, 5_2_0466F8D1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 8_2_1C681CD8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 8_2_1C681F50
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 8_2_1C681F9B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 8_2_1C6788ED
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoA, 8_2_1C63F8D1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_1C68243C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 8_2_1C678404
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 8_2_1C682543
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_1C682610
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 8_2_1C682036
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_1C6820C3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 8_2_1C682313
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028A91C8 GetLocalTime, 0_2_028A91C8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_0467B60D GetUserNameW, 5_2_0467B60D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 5_2_046A9190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 5_2_046A9190
Source: C:\Users\user\Desktop\XY2I8rWLkM.exe Code function: 0_2_028AB748 GetVersionExA, 0_2_028AB748
AV process strings found (often used to terminate AV products)
Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: cmdagent.exe
Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: quhlpsvc.exe
Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: avgamsvr.exe
Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: TMBMSRV.exe
Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: Vsserv.exe
Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: avgupsvc.exe
Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: avgemc.exe
Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2153175404.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\ffrrdds\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 5_2_0466BA12
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 8_2_1C63BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 5_2_0466BB30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: \key3.db 5_2_0466BB30
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 8_2_1C63BB30
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \key3.db 8_2_1C63BB30

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\colorcpl.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TALGAI Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TALGAI Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2153175404.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\ffrrdds\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: cmd.exe 5_2_0466569A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: cmd.exe 8_2_1C63569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428364 Sample: XY2I8rWLkM.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 52 jantis.duckdns.org 2->52 54 web.fe.1drv.com 2->54 56 6 other IPs or domains 2->56 60 Snort IDS alert for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 68 14 other signatures 2->68 8 XY2I8rWLkM.exe 1 7 2->8         started        13 Ocihlomc.PIF 2->13         started        15 Ocihlomc.PIF 2->15         started        signatures3 66 Uses dynamic DNS services 52->66 process4 dnsIp5 58 dual-spov-0006.spov-msedge.net 13.107.139.11, 443, 49704, 49705 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->58 40 C:\Users\Public\Libraries\netutils.dll, PE32+ 8->40 dropped 42 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 8->42 dropped 44 C:\Users\Public\Ocihlomc.url, MS 8->44 dropped 46 C:\Users\Public\Libraries\Ocihlomc, data 8->46 dropped 86 Writes to foreign memory regions 8->86 88 Allocates memory in foreign processes 8->88 90 Creates a thread in another existing process (thread injection) 8->90 17 colorcpl.exe 5 17 8->17         started        22 extrac32.exe 1 8->22         started        24 cmd.exe 1 8->24         started        92 Multi AV Scanner detection for dropped file 13->92 94 Machine Learning detection for dropped file 13->94 96 Injects a PE file into a foreign processes 13->96 26 SndVol.exe 13->26         started        28 colorcpl.exe 15->28         started        file6 signatures7 process8 dnsIp9 48 jantis.duckdns.org 103.186.117.171, 1188, 49707 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 17->48 50 geoplugin.net 178.237.33.50, 49708, 80 ATOM86-ASATOM86NL Netherlands 17->50 34 \Device\ConDrv, ISO-8859 17->34 dropped 36 C:\ProgramData\ffrrdds\logs.dat, data 17->36 dropped 70 Contains functionality to bypass UAC (CMSTPLUA) 17->70 72 Detected Remcos RAT 17->72 74 Contains functionalty to change the wallpaper 17->74 76 Contains functionality to register a low level keyboard hook 17->76 30 conhost.exe 17->30         started        38 C:\Users\Public\Libraries\Ocihlomc.PIF, PE32 22->38 dropped 78 Drops PE files with a suspicious file extension 22->78 32 conhost.exe 24->32         started        80 Contains functionality to steal Chrome passwords or cookies 26->80 82 Contains functionality to steal Firefox passwords or cookies 26->82 84 Delayed program exit found 26->84 file10 signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.107.139.11
 dual-spov-0006.spov-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
103.186.117.171
 jantis.duckdns.org unknown
7575 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
dual-spov-0006.spov-msedge.net 13.107.139.11 true
jantis.duckdns.org 103.186.117.171 true
geoplugin.net 178.237.33.50 true
onedrive.live.com unknown unknown
gjc1pa.dm.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
jantis.duckdns.org true
    		unknown
    http://geoplugin.net/json.gp true
    • URL Reputation: phishing
    		 unknown
    https://onedrive.live.com/download?resid=38773C188FECDED2%21107&authkey=!APdTZ0yd8fEkIVs false
      		high