Source: remcmdstub.exe |
Virustotal: Detection: 23% |
Perma Link |
Source: remcmdstub.exe |
ReversingLabs: Detection: 23% |
Source: remcmdstub.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: remcmdstub.exe |
Static PE information: certificate valid |
Source: remcmdstub.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: remcmdstub.exe |
String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: remcmdstub.exe |
String found in binary or memory: http://s2.symcb.com0 |
Source: remcmdstub.exe |
String found in binary or memory: http://sv.symcb.com/sv.crl0f |
Source: remcmdstub.exe |
String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: remcmdstub.exe |
String found in binary or memory: http://sv.symcd.com0& |
Source: remcmdstub.exe |
String found in binary or memory: http://www.symauth.com/cps0( |
Source: remcmdstub.exe |
String found in binary or memory: http://www.symauth.com/rpa00 |
Source: remcmdstub.exe |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: remcmdstub.exe |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: remcmdstub.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal48.winEXE@2/1@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_03 |
Source: remcmdstub.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: remcmdstub.exe |
Virustotal: Detection: 23% |
Source: remcmdstub.exe |
ReversingLabs: Detection: 23% |
Source: unknown |
Process created: C:\Users\user\Desktop\remcmdstub.exe "C:\Users\user\Desktop\remcmdstub.exe" |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: remcmdstub.exe |
Static PE information: certificate valid |
Source: remcmdstub.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: remcmdstub.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: remcmdstub.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: remcmdstub.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: remcmdstub.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: remcmdstub.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Code function: 0_2_003412E0 ExpandEnvironmentStringsA,_memset,GetStdHandle,GetStdHandle,GetStdHandle,GetStdHandle,GetConsoleMode,SetConsoleMode,GetLastError,SetConsoleCtrlHandler,LoadLibraryA,GetProcAddress,SetLastError,CreateProcessA,CloseHandle,CloseHandle,WaitForMultipleObjects,GenerateConsoleCtrlEvent,WaitForMultipleObjects,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,WriteFile,Sleep,GetLastError,GetLastError,GetLastError,WaitForSingleObject,CloseHandle,GetProcAddress,CloseHandle,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, |
0_2_003412E0 |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Code function: 0_2_003449F5 push ecx; ret |
0_2_00344A08 |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Users\user\Desktop\remcmdstub.exe |
API coverage: 9.9 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Code function: 0_2_00341EB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00341EB5 |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Code function: 0_2_003412E0 ExpandEnvironmentStringsA,_memset,GetStdHandle,GetStdHandle,GetStdHandle,GetStdHandle,GetConsoleMode,SetConsoleMode,GetLastError,SetConsoleCtrlHandler,LoadLibraryA,GetProcAddress,SetLastError,CreateProcessA,CloseHandle,CloseHandle,WaitForMultipleObjects,GenerateConsoleCtrlEvent,WaitForMultipleObjects,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,WriteFile,Sleep,GetLastError,GetLastError,GetLastError,WaitForSingleObject,CloseHandle,GetProcAddress,CloseHandle,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, |
0_2_003412E0 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Code function: 0_2_00341EB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00341EB5 |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Code function: 0_2_00344CAB SetUnhandledExceptionFilter, |
0_2_00344CAB |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Code function: 0_2_0034308C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0034308C |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Code function: 0_2_00345973 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00345973 |
Source: C:\Users\user\Desktop\remcmdstub.exe |
Code function: 0_2_00341010 GetVersionExA, |
0_2_00341010 |