Windows Analysis Report
udVh4Ist4Z.exe

Overview

General Information

Sample name: udVh4Ist4Z.exe
renamed because original name is a hash value
Original sample name: 2cc30d206669699e58870623365fef82.exe
Analysis ID: 1430910
MD5: 2cc30d206669699e58870623365fef82
SHA1: de5e70f094d0b72660aa57b87667edd9d52971fc
SHA256: 42ac8e7e9df9877af1382f5626fd74e63210d307f6d577cd5b387ffd0c9520bd
Tags: 32exetrojan
Infos:

Detection

Remcos, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Delayed program exit found
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C URL Reputation: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\Public\Libraries\netutils.dll Avira: detection malicious, Label: TR/AVI.Agent.rqsyc
Found malware configuration
Source: 16.1.nmfsxfjX.pif.400000.1.unpack Malware Configuration Extractor: Remcos {"Version": "4.9.4 Pro", "Host:Port:Password": "kenoss.duckdns.org:1166:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-L24XL1", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF ReversingLabs: Detection: 63%
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Virustotal: Detection: 66% Perma Link
Source: C:\Users\Public\Libraries\netutils.dll ReversingLabs: Detection: 82%
Source: C:\Users\Public\Libraries\netutils.dll Virustotal: Detection: 67% Perma Link
Multi AV Scanner detection for submitted file
Source: udVh4Ist4Z.exe ReversingLabs: Detection: 63%
Source: udVh4Ist4Z.exe Virustotal: Detection: 66% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR
Machine Learning detection for dropped file
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Joe Sandbox ML: detected
Machine Learning detection for sample
Source: udVh4Ist4Z.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 6_1_00433837
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 10_1_00433837
Source: udVh4Ist4Z.exe, 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_8754e71a-3

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_004074FD _wcslen,CoGetObject, 6_1_004074FD
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_004074FD _wcslen,CoGetObject, 10_1_004074FD
Uses 32bit PE files
Source: udVh4Ist4Z.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source: Binary string: easinvoker.pdbH source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134401693.0000000014E81000.00000004.00000020.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D658CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02D658CC
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 6_1_00409253
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 6_1_0041C291
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 6_1_0040C34D
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 6_1_00409665
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0044E879 FindFirstFileExA, 6_1_0044E879
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 6_1_0040880C
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040783C FindFirstFileW,FindNextFileW, 6_1_0040783C
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 6_1_00419AF5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 6_1_0040BB30
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 6_1_0040BD37
Source: C:\ProgramData\Remcos\remcos.exe Code function: 7_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime, 7_2_0040128D
Source: C:\ProgramData\Remcos\remcos.exe Code function: 7_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose, 7_2_00401612
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 10_1_00409253
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 10_1_0041C291
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 10_1_0040C34D
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 10_1_00409665
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0044E879 FindFirstFileExA, 10_1_0044E879
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 10_1_0040880C
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040783C FindFirstFileW,FindNextFileW, 10_1_0040783C
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 10_1_00419AF5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 10_1_0040BB30
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 10_1_0040BD37
Source: C:\ProgramData\Remcos\remcos.exe Code function: 12_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime, 12_2_0040128D
Source: C:\ProgramData\Remcos\remcos.exe Code function: 12_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose, 12_2_00401612
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 6_1_00407C97

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: kenoss.duckdns.org
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D7C8AC InternetCheckConnectionA, 0_2_02D7C8AC
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.107.137.11 13.107.137.11
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 6_1_0041B380
Source: global traffic HTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: nmfsxfjX.pif String found in binary or memory: http://geoplugin.net/json.gp
Source: udVh4Ist4Z.exe, 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: remcos.exe, remcos.exe, 0000000C.00000000.2337823304.0000000000416000.00000002.00000001.01000000.00000007.sdmp, remcos.exe, 0000000C.00000002.2338890937.0000000000416000.00000002.00000001.01000000.00000007.sdmp, remcos.exe, 0000000D.00000000.2418876564.0000000000416000.00000002.00000001.01000000.00000007.sdmp, remcos.exe, 0000000D.00000002.2442004580.0000000000416000.00000002.00000001.01000000.00000007.sdmp, nmfsxfjX.pif, 00000010.00000000.2558844631.0000000000416000.00000002.00000001.01000000.00000006.sdmp, remcos.exe, 00000011.00000002.2566375553.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe, 00000011.00000000.2565214757.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe, 00000012.00000002.2620397438.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe, 00000012.00000000.2619943576.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe.10.dr, remcos.exe.6.dr, nmfsxfjX.pif.0.dr String found in binary or memory: http://www.pmail.com
Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000072A000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://live.com/
Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.0000000000702000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.00000000008D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/
Source: Xjfxsfmn.PIF, 0000000F.00000003.2559378885.00000000006F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/S
Source: Xjfxsfmn.PIF, 0000000F.00000002.2569407559.00000000141B2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/download?resid=9ADCDEDB531E38FE%21107&authkey=
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000072A000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xirfeg.sn.files.1drv.com/
Source: Xjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.0000000000764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xirfeg.sn.files.1drv.com/y4mA7VtsLBctMjPvNeW-nBjYzK-kMyIJaIZdFZhf0ai66qWNCa5Jqdc_iM5uVKa3zxn
Source: Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xirfeg.sn.files.1drv.com/y4mQLd7Jb4tXEApwTb1qUvLYu4AYaX9rqayqbrqvAn-5-ThXvkZfJF26xlkeR3Ny-gJ
Source: Xjfxsfmn.PIF, 0000000F.00000002.2560602263.0000000000772000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xirfeg.sn.files.1drv.com/y4mf57oWea_lC5UFEW7heHii22ItiVRqzOkuZoz6yyafu_P62cjXQyR0S8WE0jPq8Gh
Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000071C000.00000004.00000020.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000072A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xirfeg.sn.files.1drv.com/y4mmJkpN2-URpDPce1turH6bNoPZHs8qohGTBPPgUSqUu1WeGjpTknCmr6n8UWtLOer
Source: Xjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xirfeg.sn.files.1drv.com:443/y4mA7VtsLBctMjPvNeW-nBjYzK-kMyIJaIZdFZhf0ai66qWNCa5Jqdc_iM5uVKa
Source: Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xirfeg.sn.files.1drv.com:443/y4mQLd7Jb4tXEApwTb1qUvLYu4AYaX9rqayqbrqvAn-5-ThXvkZfJF26xlkeR3N
Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000071C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xirfeg.sn.files.1drv.com:443/y4mmJkpN2-URpDPce1turH6bNoPZHs8qohGTBPPgUSqUu1WeGjpTknCmr6n8UWt
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49725 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 6_1_0040A2B8
Contains functionality for read data from the clipboard
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 6_1_0040B70E
Contains functionality to modify clipboard data
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 6_1_004168C1
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 10_1_004168C1
Contains functionality to read the clipboard data
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 6_1_0040B70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 6_1_0040A3E0
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041C9E2 SystemParametersInfoW, 6_1_0041C9E2
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0041C9E2 SystemParametersInfoW, 10_1_0041C9E2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\Public\Libraries\XjfxsfmnO.bat, type: DROPPED Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
PE file contains section with special chars
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Contains functionality to call native functions
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D7C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_02D7C3F8
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D7C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_02D7C368
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D7C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_02D7C4DC
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D77AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_02D77AC0
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D77968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 0_2_02D77968
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D77F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_02D77F48
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D7C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_02D7C3F6
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D77966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 0_2_02D77966
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D77F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_02D77F46
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 6_1_004132D2
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle, 6_1_0041BB09
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041BB35 OpenProcess,NtResumeProcess,CloseHandle, 6_1_0041BB35
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 8_2_02DAC4DC NtOpenFile,NtReadFile, 8_2_02DAC4DC
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 8_2_02DA7968 NtAllocateVirtualMemory, 8_2_02DA7968
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 8_2_02DA7F48 CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,Wow64SetThreadContext,NtResumeThread, 8_2_02DA7F48
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 8_2_02DA7966 NtAllocateVirtualMemory, 8_2_02DA7966
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 8_2_02DA7F46 CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,Wow64SetThreadContext,NtResumeThread, 8_2_02DA7F46
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 10_1_004132D2
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle, 10_1_0041BB09
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0041BB35 OpenProcess,NtResumeProcess,CloseHandle, 10_1_0041BB35
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 15_2_02E3C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose, 15_2_02E3C4DC
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 15_2_02E37AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 15_2_02E37AC0
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 15_2_02E37968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 15_2_02E37968
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 15_2_02E37F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 15_2_02E37F48
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 15_2_02E3C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 15_2_02E3C3F6
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 15_2_02E3C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 15_2_02E3C3F8
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 15_2_02E3C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 15_2_02E3C368
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 15_2_02E37966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 15_2_02E37966
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 15_2_02E37F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 15_2_02E37F46
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D7CA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle, 0_2_02D7CA6C
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 6_1_004167B4
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 10_1_004167B4
Detected potential crypto function
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B6265E 0_3_02B6265E
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B60719 0_3_02B60719
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B61362 0_3_02B61362
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B6134B 0_3_02B6134B
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B610BD 0_3_02B610BD
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B614BD 0_3_02B614BD
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B604A9 0_3_02B604A9
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B6049D 0_3_02B6049D
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B60485 0_3_02B60485
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B620F2 0_3_02B620F2
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B610D5 0_3_02B610D5
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B610C9 0_3_02B610C9
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B614C9 0_3_02B614C9
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B60425 0_3_02B60425
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B6102E 0_3_02B6102E
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B62018 0_3_02B62018
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B60419 0_3_02B60419
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B60000 0_3_02B60000
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B6040D 0_3_02B6040D
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B61045 0_3_02B61045
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B609B0 0_3_02B609B0
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B609BC 0_3_02B609BC
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B609A4 0_3_02B609A4
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B611EA 0_3_02B611EA
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B601DE 0_3_02B601DE
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B61531 0_3_02B61531
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B6153D 0_3_02B6153D
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B60D38 0_3_02B60D38
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B62953 0_3_02B62953
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02B61549 0_3_02B61549
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D620C4 0_2_02D620C4
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0043E0CC 6_1_0043E0CC
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041F0FA 6_1_0041F0FA
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00454159 6_1_00454159
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00438168 6_1_00438168
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_004461F0 6_1_004461F0
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0043E2FB 6_1_0043E2FB
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0045332B 6_1_0045332B
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0042739D 6_1_0042739D
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_004374E6 6_1_004374E6
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0043E558 6_1_0043E558
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00438770 6_1_00438770
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_004378FE 6_1_004378FE
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00433946 6_1_00433946
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0044D9C9 6_1_0044D9C9
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00427A46 6_1_00427A46
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041DB62 6_1_0041DB62
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00427BAF 6_1_00427BAF
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00437D33 6_1_00437D33
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00435E5E 6_1_00435E5E
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00426E0E 6_1_00426E0E
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0043DE9D 6_1_0043DE9D
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00413FCA 6_1_00413FCA
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00436FEA 6_1_00436FEA
Source: C:\ProgramData\Remcos\remcos.exe Code function: 7_2_004057B8 7_2_004057B8
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 8_2_02D920C4 8_2_02D920C4
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0043E0CC 10_1_0043E0CC
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0041F0FA 10_1_0041F0FA
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00454159 10_1_00454159
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00438168 10_1_00438168
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_004461F0 10_1_004461F0
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0043E2FB 10_1_0043E2FB
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0045332B 10_1_0045332B
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0042739D 10_1_0042739D
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_004374E6 10_1_004374E6
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0043E558 10_1_0043E558
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00438770 10_1_00438770
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_004378FE 10_1_004378FE
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00433946 10_1_00433946
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0044D9C9 10_1_0044D9C9
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00427A46 10_1_00427A46
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0041DB62 10_1_0041DB62
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00427BAF 10_1_00427BAF
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00437D33 10_1_00437D33
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00435E5E 10_1_00435E5E
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00426E0E 10_1_00426E0E
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0043DE9D 10_1_0043DE9D
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00413FCA 10_1_00413FCA
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00436FEA 10_1_00436FEA
Source: C:\ProgramData\Remcos\remcos.exe Code function: 12_2_004057B8 12_2_004057B8
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: 15_2_02E220C4 15_2_02E220C4
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\Remcos\remcos.exe 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
Found potential string decryption / allocating functions
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: String function: 02E26658 appears 32 times
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: String function: 02D94824 appears 628 times
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: String function: 02E24698 appears 156 times
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: String function: 02E24824 appears 628 times
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: String function: 02D96658 appears 32 times
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: String function: 02D94698 appears 156 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 00402213 appears 38 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 004052FD appears 32 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 00434E10 appears 108 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 0040417E appears 46 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 00402093 appears 100 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 00434770 appears 82 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 00401E65 appears 70 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 00401FAB appears 40 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 00411F67 appears 32 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 004020DF appears 40 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 00457A28 appears 34 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 004484CA appears 36 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 004458D0 appears 56 times
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: String function: 004046F7 appears 34 times
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: String function: 02D66658 appears 32 times
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: String function: 02D64698 appears 247 times
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: String function: 02D77BE8 appears 45 times
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: String function: 02D644A0 appears 67 times
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: String function: 02D64824 appears 882 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 0040A6C4 appears 136 times
PE file contains more sections than normal
Source: netutils.dll.0.dr Static PE information: Number of sections : 19 > 10
Sample file is different than original file name gathered from version info
Source: udVh4Ist4Z.exe Binary or memory string: OriginalFilename vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014010000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000003.2134401693.0000000014E81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000003.2138564063.0000000014E9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
Source: udVh4Ist4Z.exe, 00000000.00000003.2138564063.0000000014F00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
Uses 32bit PE files
Source: udVh4Ist4Z.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\XjfxsfmnO.bat, type: DROPPED Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@24/14@4/1
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 6_1_00417952
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 10_1_00417952
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D67F90 GetDiskFreeSpaceA, 0_2_02D67F90
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 6_1_0040F474
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D76D84 CoCreateInstance, 0_2_02D76D84
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 6_1_0041B4A8
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 6_1_0041AA4A
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe File created: C:\Users\Public\Libraries\Null Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Mutant created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\XjfxsfmnO.bat" "
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Software\ 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Rmc-L24XL1 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Exe 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Exe 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Rmc-L24XL1 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Inj 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Inj 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: 8SG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: exepath 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: 8SG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: exepath 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: licence 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: dMG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PSG 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Administrator 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: User 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: del 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: del 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: del 6_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Software\ 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Rmc-L24XL1 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Exe 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Exe 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Rmc-L24XL1 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Inj 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Inj 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: 8SG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: exepath 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: 8SG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: exepath 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: licence 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: dMG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: PSG 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: Administrator 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: User 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: del 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: del 10_1_0040E9C5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Command line argument: del 10_1_0040E9C5
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: udVh4Ist4Z.exe ReversingLabs: Detection: 63%
Source: udVh4Ist4Z.exe Virustotal: Detection: 66%
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe File read: C:\Users\user\Desktop\udVh4Ist4Z.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\udVh4Ist4Z.exe "C:\Users\user\Desktop\udVh4Ist4Z.exe"
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\XjfxsfmnO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\udVh4Ist4Z.exe C:\\Users\\Public\\Libraries\\Xjfxsfmn.PIF
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\Users\Public\Libraries\Xjfxsfmn.PIF "C:\Users\Public\Libraries\Xjfxsfmn.PIF"
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\Users\Public\Libraries\Xjfxsfmn.PIF "C:\Users\Public\Libraries\Xjfxsfmn.PIF"
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\XjfxsfmnO.bat" " Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\udVh4Ist4Z.exe C:\\Users\\Public\\Libraries\\Xjfxsfmn.PIF Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: eamsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ???y.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ???y.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ???y.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: udVh4Ist4Z.exe Static file information: File size 1639424 > 1048576
Source: udVh4Ist4Z.exe Static PE information: Raw size of DATA is bigger than: 0x100000 < 0x114800
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source: Binary string: easinvoker.pdbH source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134401693.0000000014E81000.00000004.00000020.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 0.2.udVh4Ist4Z.exe.2cbe308.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.udVh4Ist4Z.exe.2d60000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.udVh4Ist4Z.exe.2c59910.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.udVh4Ist4Z.exe.2c9ce08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.udVh4Ist4Z.exe.2cbe308.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2561591986.0000000002E21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2296612772.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Binary contains a suspicious time stamp
Source: nmfsxfjX.pif.0.dr Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D77AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_02D77AC0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .
PE file contains an invalid checksum
Source: remcos.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x1768a
Source: netutils.dll.0.dr Static PE information: real checksum: 0x2c00d should be: 0x1f08e
Source: nmfsxfjX.pif.0.dr Static PE information: real checksum: 0x0 should be: 0x1768a
Source: udVh4Ist4Z.exe Static PE information: real checksum: 0x0 should be: 0x19fb50
Source: Xjfxsfmn.PIF.5.dr Static PE information: real checksum: 0x0 should be: 0x19fb50
Source: remcos.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x1768a
PE file contains sections with non-standard names
Source: easinvoker.exe.0.dr Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: .
Source: netutils.dll.0.dr Static PE information: section name: /4
Source: netutils.dll.0.dr Static PE information: section name: /19
Source: netutils.dll.0.dr Static PE information: section name: /31
Source: netutils.dll.0.dr Static PE information: section name: /45
Source: netutils.dll.0.dr Static PE information: section name: /57
Source: netutils.dll.0.dr Static PE information: section name: /70
Source: netutils.dll.0.dr Static PE information: section name: /81
Source: netutils.dll.0.dr Static PE information: section name: /92
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_0296009D push dword ptr [esi-5D3DF0BBh]; retf 0_3_029600B1
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02962BAE push dword ptr [esi-5D3D056Dh]; iretd 0_3_02962BB5
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_029623C9 push dword ptr [esi-5D3D05BBh]; iretd 0_3_029623DD
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02A8C6F9 push cs; retf 0_3_02A8C6FE
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02A7D0DF push esi; ret 0_3_02A7D0EC
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02A8802D push ss; retf 0_3_02A88053
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02A8C120 push es; retf 0_3_02A8C12B
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02A8C6F9 push cs; retf 0_3_02A8C6FE
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02A7D0DF push esi; ret 0_3_02A7D0EC
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02A8802D push ss; retf 0_3_02A88053
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_3_02A8C120 push es; retf 0_3_02A8C12B
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D632F0 push eax; ret 0_2_02D6332C
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D8A2F4 push 02D8A35Fh; ret 0_2_02D8A357
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D7D20C push ecx; mov dword ptr [esp], edx 0_2_02D7D211
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D66374 push 02D663CFh; ret 0_2_02D663C7
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D66372 push 02D663CFh; ret 0_2_02D663C7
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D8A0AC push 02D8A125h; ret 0_2_02D8A11D
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D73027 push 02D73075h; ret 0_2_02D7306D
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D73028 push 02D73075h; ret 0_2_02D7306D
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D8A1F8 push 02D8A288h; ret 0_2_02D8A280
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D8A144 push 02D8A1ECh; ret 0_2_02D8A1E4
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D66740 push 02D66782h; ret 0_2_02D6677A
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D6673E push 02D66782h; ret 0_2_02D6677A
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D6D55C push 02D6D588h; ret 0_2_02D6D580
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D6C528 push ecx; mov dword ptr [esp], edx 0_2_02D6C52D
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D6CBA8 push 02D6CD2Eh; ret 0_2_02D6CD26
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D89B58 push 02D89D76h; ret 0_2_02D89D6E
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D79B58 push 02D79B90h; ret 0_2_02D79B88
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D6C8D6 push 02D6CD2Eh; ret 0_2_02D6CD26
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D778C8 push 02D77945h; ret 0_2_02D7793D
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D76904 push 02D769AFh; ret 0_2_02D769A7

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\extrac32.exe File created: C:\Users\Public\Libraries\Xjfxsfmn.PIF Jump to dropped file
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe File created: C:\Users\Public\Libraries\nmfsxfjX.pif Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00406EB0 ShellExecuteW,URLDownloadToFileW, 6_1_00406EB0
Drops PE files
Source: C:\Windows\SysWOW64\extrac32.exe File created: C:\Users\Public\Libraries\Xjfxsfmn.PIF Jump to dropped file
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe File created: C:\Users\Public\Libraries\nmfsxfjX.pif Jump to dropped file
Source: C:\Users\Public\Libraries\nmfsxfjX.pif File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe File created: C:\Users\Public\Libraries\easinvoker.exe Jump to dropped file
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe File created: C:\Users\Public\Libraries\netutils.dll Jump to dropped file
Source: C:\Users\Public\Libraries\nmfsxfjX.pif File created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\Public\Libraries\nmfsxfjX.pif File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 Jump to behavior
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Xjfxsfmn Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 6_1_0041AA4A
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Xjfxsfmn Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Xjfxsfmn Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D79B94 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_02D79B94
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040F7A7 Sleep,ExitProcess, 6_1_0040F7A7
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040F7A7 Sleep,ExitProcess, 10_1_0040F7A7
Contains functionality to enumerate running services
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 6_1_0041A748
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 10_1_0041A748
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Evaded block: after key decision
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Evaded block: after key decision
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Evaded block: after key decision
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Evaded block: after key decision
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\ProgramData\Remcos\remcos.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\Public\Libraries\nmfsxfjX.pif API coverage: 6.4 %
Source: C:\Users\Public\Libraries\nmfsxfjX.pif API coverage: 6.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D658CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02D658CC
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 6_1_00409253
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 6_1_0041C291
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 6_1_0040C34D
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 6_1_00409665
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0044E879 FindFirstFileExA, 6_1_0044E879
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 6_1_0040880C
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040783C FindFirstFileW,FindNextFileW, 6_1_0040783C
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 6_1_00419AF5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 6_1_0040BB30
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 6_1_0040BD37
Source: C:\ProgramData\Remcos\remcos.exe Code function: 7_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime, 7_2_0040128D
Source: C:\ProgramData\Remcos\remcos.exe Code function: 7_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose, 7_2_00401612
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 10_1_00409253
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 10_1_0041C291
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 10_1_0040C34D
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 10_1_00409665
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0044E879 FindFirstFileExA, 10_1_0044E879
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 10_1_0040880C
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040783C FindFirstFileW,FindNextFileW, 10_1_0040783C
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 10_1_00419AF5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 10_1_0040BB30
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 10_1_0040BD37
Source: C:\ProgramData\Remcos\remcos.exe Code function: 12_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime, 12_2_0040128D
Source: C:\ProgramData\Remcos\remcos.exe Code function: 12_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose, 12_2_00401612
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 6_1_00407C97
Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.00000000006E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW/
Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.00000000006B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(0o%SystemRoot%\system32\mswsock.dll
Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000902000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.0000000000726000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.00000000006F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_1_004349F9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D77AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_02D77AC0
Contains functionality to read the PEB
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_004432B5 mov eax, dword ptr fs:[00000030h] 6_1_004432B5
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_004432B5 mov eax, dword ptr fs:[00000030h] 10_1_004432B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00412077 GetProcessHeap,HeapFree, 6_1_00412077
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_1_004349F9
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00434B47 SetUnhandledExceptionFilter, 6_1_00434B47
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_1_0043BB22
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_1_00434FDC
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_1_004349F9
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00434B47 SetUnhandledExceptionFilter, 10_1_00434B47
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_1_0043BB22
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 10_1_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_1_00434FDC

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Memory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Memory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 1E060000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Memory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Memory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 1E060000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Memory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Memory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 18100000 protect: page execute and read and write Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Section unmapped: C:\Users\Public\Libraries\nmfsxfjX.pif base address: 400000 Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Section unmapped: C:\Users\Public\Libraries\nmfsxfjX.pif base address: 400000 Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Section unmapped: C:\Users\Public\Libraries\nmfsxfjX.pif base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Memory written: C:\Users\Public\Libraries\nmfsxfjX.pif base: 2CD008 Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Memory written: C:\Users\Public\Libraries\nmfsxfjX.pif base: 218008 Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Memory written: C:\Users\Public\Libraries\nmfsxfjX.pif base: 370008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 6_1_004120F7
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 10_1_004120F7
Contains functionality to simulate mouse events
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00419627 mouse_event, 6_1_00419627
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Process created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Process created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Process created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00434C52 cpuid 6_1_00434C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 0_2_02D7D5D0
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02D65A90
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: GetLocaleInfoA, 0_2_02D6A7CC
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: GetLocaleInfoA, 0_2_02D6A780
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02D65B9C
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 0_2_02D7D5D0
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 0_2_02D85FA0
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: EnumSystemLocalesW, 6_1_00452036
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_1_004520C3
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoW, 6_1_00452313
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: EnumSystemLocalesW, 6_1_00448404
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_1_0045243C
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoW, 6_1_00452543
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_1_00452610
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoA, 6_1_0040F8D1
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoW, 6_1_004488ED
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 6_1_00451CD8
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: EnumSystemLocalesW, 6_1_00451F50
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: EnumSystemLocalesW, 6_1_00451F9B
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: EnumSystemLocalesW, 10_1_00452036
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 10_1_004520C3
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoW, 10_1_00452313
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: EnumSystemLocalesW, 10_1_00448404
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 10_1_0045243C
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoW, 10_1_00452543
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 10_1_00452610
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoA, 10_1_0040F8D1
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: GetLocaleInfoW, 10_1_004488ED
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 10_1_00451CD8
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: EnumSystemLocalesW, 10_1_00451F50
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: EnumSystemLocalesW, 10_1_00451F9B
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: CoInitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 15_2_02E3D5D0
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 15_2_02E25A90
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: GetLocaleInfoA, 15_2_02E2A7CC
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 15_2_02E25B9B
Source: C:\Users\Public\Libraries\Xjfxsfmn.PIF Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 15_2_02E45F9F
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D691C8 GetLocalTime, 0_2_02D691C8
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_0041B60D GetComputerNameExW,GetUserNameW, 6_1_0041B60D
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: 6_1_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 6_1_00449190
Source: C:\Users\user\Desktop\udVh4Ist4Z.exe Code function: 0_2_02D6B748 GetVersionExA, 0_2_02D6B748
AV process strings found (often used to terminate AV products)
Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: cmdagent.exe
Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: quhlpsvc.exe
Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: avgamsvr.exe
Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: TMBMSRV.exe
Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: Vsserv.exe
Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: avgupsvc.exe
Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: avgemc.exe
Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 6_1_0040BA12
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 10_1_0040BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 6_1_0040BB30
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: \key3.db 6_1_0040BB30
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 10_1_0040BB30
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: \key3.db 10_1_0040BB30

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Mutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1 Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Mutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1 Jump to behavior
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Mutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1
Yara detected Remcos RAT
Source: Yara match File source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: cmd.exe 6_1_0040569A
Source: C:\Users\Public\Libraries\nmfsxfjX.pif Code function: cmd.exe 10_1_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430910 Sample: udVh4Ist4Z.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 53 dual-spov-0006.spov-msedge.net 2->53 55 xirfeg.sn.files.1drv.com 2->55 57 4 other IPs or domains 2->57 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 12 other signatures 2->67 8 udVh4Ist4Z.exe 1 7 2->8         started        13 Xjfxsfmn.PIF 2->13         started        15 Xjfxsfmn.PIF 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 59 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49710, 49711 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->59 45 C:\Users\Public\Libraries\nmfsxfjX.pif, PE32 8->45 dropped 47 C:\Users\Public\Libraries\netutils.dll, PE32+ 8->47 dropped 49 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 8->49 dropped 51 C:\Users\Public\Xjfxsfmn.url, MS 8->51 dropped 83 Creates multiple autostart registry keys 8->83 85 Drops PE files with a suspicious file extension 8->85 87 Writes to foreign memory regions 8->87 19 nmfsxfjX.pif 2 3 8->19         started        23 extrac32.exe 1 8->23         started        25 cmd.exe 1 8->25         started        89 Multi AV Scanner detection for dropped file 13->89 91 Machine Learning detection for dropped file 13->91 93 Allocates memory in foreign processes 13->93 27 nmfsxfjX.pif 4 13->27         started        95 Sample uses process hollowing technique 15->95 29 nmfsxfjX.pif 15->29         started        file6 signatures7 process8 file9 39 C:\ProgramData\Remcos\remcos.exe, PE32 19->39 dropped 69 Contains functionality to bypass UAC (CMSTPLUA) 19->69 71 Detected Remcos RAT 19->71 73 Contains functionalty to change the wallpaper 19->73 81 4 other signatures 19->81 31 remcos.exe 1 19->31         started        41 C:\Users\Public\Libraries\Xjfxsfmn.PIF, PE32 23->41 dropped 75 Drops PE files with a suspicious file extension 23->75 33 conhost.exe 25->33         started        43 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 27->43 dropped 77 Creates autostart registry keys with suspicious names 27->77 79 Creates multiple autostart registry keys 27->79 35 remcos.exe 1 27->35         started        37 remcos.exe 29->37         started        signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.107.137.11
 dual-spov-0006.spov-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS true

Contacted Domains

Name IP Active
dual-spov-0006.spov-msedge.net 13.107.137.11 true
onedrive.live.com unknown unknown
xirfeg.sn.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://onedrive.live.com/download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU false
    		high
    kenoss.duckdns.org true
    • Avira URL Cloud: safe
    		 unknown