Windows Analysis Report
SHEOrder-10524.exe

Overview

General Information

Sample name: SHEOrder-10524.exe
Analysis ID: 1431184
MD5: 439f6db2adb770a0f825879c91da9904
SHA1: 6b997f099e01ba06378a58115f65d515a22f5fb1
SHA256: 9eef226fdb7d6c554cd552fc3f597ebfd6d77e33b95db53f7a631a75acf0c270
Tags: exeHUN
Infos:

Detection

Remcos, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://geoplugin.net/json.gp/C URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Found malware configuration
Source: 14.1.lhgtogaW.pif.400000.3.unpack Malware Configuration Extractor: Remcos {"Version": "4.9.4 Pro", "Host:Port:Password": "91.223.3.151:4508", "Assigned name": "HCODE FILE", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-V052BG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Wagotghl.PIF ReversingLabs: Detection: 47%
Source: C:\Users\Public\Libraries\netutils.dll ReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted file
Source: SHEOrder-10524.exe ReversingLabs: Detection: 47%
Yara detected Remcos RAT
Source: Yara match File source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4156653259.0000000025BBF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Machine Learning detection for dropped file
Source: C:\Users\Public\Libraries\Wagotghl.PIF Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SHEOrder-10524.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 4_2_00433837
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 4_1_00433837
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData, 5_2_00404423
Source: SHEOrder-10524.exe, 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_79de4548-8

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004074FD _wcslen,CoGetObject, 4_2_004074FD
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_004074FD _wcslen,CoGetObject, 4_1_004074FD

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Unpacked PE file: 4.2.lhgtogaW.pif.400000.0.unpack
Uses 32bit PE files
Source: SHEOrder-10524.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source: Binary string: easinvoker.pdbH source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028C58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_028C58CC
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_00409253
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 4_2_0041C291
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 4_2_0040C34D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_00409665
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 4_2_0040880C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040783C FindFirstFileW,FindNextFileW, 4_2_0040783C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 4_2_00419AF5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 4_2_0040BB30
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 4_2_0040BD37
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_274C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_274C10F1
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_1_00409253
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 4_1_0041C291
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 4_1_0040C34D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_1_00409665
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 4_1_0040880C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040783C FindFirstFileW,FindNextFileW, 4_1_0040783C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 4_1_00419AF5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 4_1_0040BB30
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 4_1_0040BD37
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0040AE51 FindFirstFileW,FindNextFileW, 5_2_0040AE51
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 4_2_00407C97

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 91.223.3.151
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028DC8AC InternetCheckConnectionA, 0_2_028DC8AC
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 91.223.3.151:4508
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PL-SKYTECH-ASPL PL-SKYTECH-ASPL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: unknown TCP traffic detected without corresponding DNS query: 91.223.3.151
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 4_2_0041B380
Source: global traffic HTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: lhgtogaW.pif String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhv1938.tmp.5.dr String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv1938.tmp.5.dr String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: lhgtogaW.pif, 00000005.00000003.1793746944.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: t_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: lhgtogaW.pif, 00000005.00000003.1793746944.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: t_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: lhgtogaW.pif, 00000004.00000002.4156997111.00000000273A0000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: lhgtogaW.pif, 00000004.00000002.4156997111.00000000273A0000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: onedrive.live.com
Source: global traffic DNS traffic detected: DNS query: bnaqzw.sn.files.1drv.com
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhv1938.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv1938.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv1938.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: bhv1938.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhv1938.tmp.5.dr String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: lhgtogaW.pif, lhgtogaW.pif, 00000004.00000003.1752355443.000000002419D000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002418E000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1797585028.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1796644094.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: SHEOrder-10524.exe, 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: lhgtogaW.pif, 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1797585028.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1796644094.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpH
Source: lhgtogaW.pif, 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1797585028.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1796644094.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpZ
Source: lhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpu
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv1938.tmp.5.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv1938.tmp.5.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv1938.tmp.5.dr String found in binary or memory: http://ocsp.digicert.com0Q
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv1938.tmp.5.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://ocsp.msocsp.com0S
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: bhv1938.tmp.5.dr String found in binary or memory: http://ocspx.digicert.com0E
Source: bhv1938.tmp.5.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv1938.tmp.5.dr String found in binary or memory: http://www.digicert.com/CPS0~
Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000003.1781518005.000000000091D000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000007.00000003.1781576573.000000000091D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: lhgtogaW.pif, 00000007.00000003.1781518005.000000000091D000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000007.00000003.1781576573.000000000091D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.comta
Source: bhv1938.tmp.5.dr String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: lhgtogaW.pif, 00000005.00000002.1794411249.0000000000193000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: SHEOrder-10524.exe, SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1676709365.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000000.1716894021.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 00000005.00000000.1778121431.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 00000006.00000000.1778301253.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 00000007.00000000.1778998992.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 0000000A.00000000.1881855840.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 0000000E.00000000.1938374574.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif.0.dr String found in binary or memory: http://www.pmail.com
Source: bhv1938.tmp.5.dr String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhv1938.tmp.5.dr String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhv1938.tmp.5.dr String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhv1938.tmp.5.dr String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhv1938.tmp.5.dr String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhv1938.tmp.5.dr String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhv1938.tmp.5.dr String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhv1938.tmp.5.dr String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhv1938.tmp.5.dr String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhv1938.tmp.5.dr String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhv1938.tmp.5.dr String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhv1938.tmp.5.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv1938.tmp.5.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv1938.tmp.5.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv1938.tmp.5.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv1938.tmp.5.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv1938.tmp.5.dr String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv1938.tmp.5.dr String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bnaqzw.sn.files.1drv.com/
Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bnaqzw.sn.files.1drv.com/W
Source: Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000002.1885488700.000000000091D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bnaqzw.sn.files.1drv.com/y4mFB-7cF0RJhpIN7Sx_6Q1D2DImE5mQPbbhluzK7S-dhQrKxqFk72nhp4k4_SdW3Ee
Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bnaqzw.sn.files.1drv.com/y4mUNi1irqpVap8qJ_hkhgVkZ9e6GpCglPli4DYI3goIWfA8FsMCycwJbzbnR6k4jns
Source: Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bnaqzw.sn.files.1drv.com/y4mjSrmVGqdqL8hnH_btf-6Qys453bsv2FyIiEEOlZHaw9haei9AHV5FIa03OCcOV-q
Source: Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000659000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bnaqzw.sn.files.1drv.com/y4msc3kYI7yGn3gEL_3gJvdpmyEkhOCRDBRFk1eCCUOzN0wBjvROvE3UIu0RkWHiUlu
Source: Wagotghl.PIF, 00000008.00000002.1885488700.0000000000925000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bnaqzw.sn.files.1drv.com:443/y4mFB-7cF0RJhpIN7Sx_6Q1D2DImE5mQPbbhluzK7S-dhQrKxqFk72nhp4k4_Sd
Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bnaqzw.sn.files.1drv.com:443/y4mUNi1irqpVap8qJ_hkhgVkZ9e6GpCglPli4DYI3goIWfA8FsMCycwJbzbnR6k
Source: Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000694000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bnaqzw.sn.files.1drv.com:443/y4msc3kYI7yGn3gEL_3gJvdpmyEkhOCRDBRFk1eCCUOzN0wBjvROvE3UIu0RkWH
Source: bhv1938.tmp.5.dr String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv1938.tmp.5.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv1938.tmp.5.dr String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv1938.tmp.5.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv1938.tmp.5.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhv1938.tmp.5.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhv1938.tmp.5.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhv1938.tmp.5.dr String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000002.1885488700.0000000000902000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://live.com/
Source: bhv1938.tmp.5.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv1938.tmp.5.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: lhgtogaW.pif, 00000005.00000003.1793746944.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: bhv1938.tmp.5.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv1938.tmp.5.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhv1938.tmp.5.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: lhgtogaW.pif String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv1938.tmp.5.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv1938.tmp.5.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv1938.tmp.5.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv1938.tmp.5.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv1938.tmp.5.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv1938.tmp.5.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv1938.tmp.5.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhv1938.tmp.5.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhv1938.tmp.5.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhv1938.tmp.5.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000002.1884851023.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.000000000086A000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/
Source: Wagotghl.PIF, 0000000B.00000002.1949920072.0000000013C5D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/downlo
Source: Wagotghl.PIF, 0000000B.00000002.1949920072.0000000013C40000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/download?resid=B24528E77689F9AC%21162&authkey=
Source: bhv1938.tmp.5.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhv1938.tmp.5.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhv1938.tmp.5.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhv1938.tmp.5.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv1938.tmp.5.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv1938.tmp.5.dr String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhv1938.tmp.5.dr String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: bhv1938.tmp.5.dr String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhv1938.tmp.5.dr String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhv1938.tmp.5.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: lhgtogaW.pif String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv1938.tmp.5.dr String found in binary or memory: https://www.office.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49745 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 4_2_0040A2B8
Installs a global keyboard hook
Source: C:\Users\Public\Libraries\lhgtogaW.pif Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\lhgtogaW.pif Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 4_2_0040B70E
Contains functionality to modify clipboard data
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_004168C1
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_1_004168C1
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 5_2_0040987A
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 5_2_004098E2
Contains functionality to read the clipboard data
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 4_2_0040B70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 4_2_0040A3E0
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4156653259.0000000025BBF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041C9E2 SystemParametersInfoW, 4_2_0041C9E2
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0041C9E2 SystemParametersInfoW, 4_1_0041C9E2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\Public\Libraries\WagotghlO.bat, type: DROPPED Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: SHEOrder-10524.exe
Abnormal high CPU Usage
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028DC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_028DC3F8
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028DC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_028DC368
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028DC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_028DC4DC
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_028D7AC0
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 0_2_028D7968
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D7F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_028D7F48
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028DC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_028DC3F6
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 0_2_028D7966
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D7F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_028D7F46
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 4_2_004180EF
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 4_2_004132D2
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle, 4_2_0041BB09
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle, 4_2_0041BB35
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,TerminateProcess,GetLastError, 4_1_004180EF
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 4_1_004132D2
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle, 4_1_0041BB09
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0041BB35 OpenProcess,NtResumeProcess,CloseHandle, 4_1_0041BB35
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 5_2_0040DD85
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00401806 NtdllDefWindowProc_W, 5_2_00401806
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_004018C0 NtdllDefWindowProc_W, 5_2_004018C0
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028DCA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle, 0_2_028DCA6C
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 4_2_004167B4
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 4_1_004167B4
Detected potential crypto function
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028C20C4 0_2_028C20C4
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0043E0CC 4_2_0043E0CC
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041F0FA 4_2_0041F0FA
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00454159 4_2_00454159
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00438168 4_2_00438168
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004461F0 4_2_004461F0
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0043E2FB 4_2_0043E2FB
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0045332B 4_2_0045332B
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0042739D 4_2_0042739D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004374E6 4_2_004374E6
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0043E558 4_2_0043E558
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00438770 4_2_00438770
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004378FE 4_2_004378FE
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00433946 4_2_00433946
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0044D9C9 4_2_0044D9C9
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00427A46 4_2_00427A46
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041DB62 4_2_0041DB62
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00427BAF 4_2_00427BAF
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00437D33 4_2_00437D33
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00435E5E 4_2_00435E5E
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00426E0E 4_2_00426E0E
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0043DE9D 4_2_0043DE9D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00413FCA 4_2_00413FCA
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00436FEA 4_2_00436FEA
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_274CB5C1 4_2_274CB5C1
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_274D7194 4_2_274D7194
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0043E0CC 4_1_0043E0CC
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0041F0FA 4_1_0041F0FA
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00454159 4_1_00454159
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00438168 4_1_00438168
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_004461F0 4_1_004461F0
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0043E2FB 4_1_0043E2FB
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0045332B 4_1_0045332B
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0042739D 4_1_0042739D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_004374E6 4_1_004374E6
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0043E558 4_1_0043E558
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00438770 4_1_00438770
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_004378FE 4_1_004378FE
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00433946 4_1_00433946
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0044D9C9 4_1_0044D9C9
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00427A46 4_1_00427A46
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0041DB62 4_1_0041DB62
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00427BAF 4_1_00427BAF
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00437D33 4_1_00437D33
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00435E5E 4_1_00435E5E
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00426E0E 4_1_00426E0E
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0043DE9D 4_1_0043DE9D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00413FCA 4_1_00413FCA
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00436FEA 4_1_00436FEA
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0044B040 5_2_0044B040
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0043610D 5_2_0043610D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00447310 5_2_00447310
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0044A490 5_2_0044A490
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0040755A 5_2_0040755A
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0043C560 5_2_0043C560
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0044B610 5_2_0044B610
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0044D6C0 5_2_0044D6C0
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_004476F0 5_2_004476F0
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0044B870 5_2_0044B870
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0044081D 5_2_0044081D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00414957 5_2_00414957
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_004079EE 5_2_004079EE
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00407AEB 5_2_00407AEB
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0044AA80 5_2_0044AA80
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00412AA9 5_2_00412AA9
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00404B74 5_2_00404B74
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00404B03 5_2_00404B03
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0044BBD8 5_2_0044BBD8
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00404BE5 5_2_00404BE5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00404C76 5_2_00404C76
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00415CFE 5_2_00415CFE
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00416D72 5_2_00416D72
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00446D30 5_2_00446D30
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00446D8B 5_2_00446D8B
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00406E8F 5_2_00406E8F
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\lhgtogaW.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: String function: 028C44A0 appears 67 times
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: String function: 028C4824 appears 883 times
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: String function: 028C4698 appears 247 times
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: String function: 028D7BE8 appears 45 times
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: String function: 028C6658 appears 32 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 00434E10 appears 108 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 0040417E appears 46 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 00402093 appears 100 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 00434770 appears 82 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 004169A7 appears 87 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 004165FF appears 35 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 00411F67 appears 32 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 004020DF appears 40 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 004484CA appears 36 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 004046F7 appears 34 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 00402213 appears 38 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 004052FD appears 32 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 00401E65 appears 70 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 00401FAB appears 42 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 00457A28 appears 34 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 00416760 appears 69 times
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: String function: 004458D0 appears 56 times
PE file contains more sections than normal
Source: netutils.dll.0.dr Static PE information: Number of sections : 19 > 10
Sample file is different than original file name gathered from version info
Source: SHEOrder-10524.exe Binary or memory string: OriginalFilename vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000003.1676709365.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs SHEOrder-10524.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs SHEOrder-10524.exe
Uses 32bit PE files
Source: SHEOrder-10524.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\WagotghlO.bat, type: DROPPED Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: classification engine Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@21/12@4/3
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z, 5_2_004182CE
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 4_2_00417952
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 4_1_00417952
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028C7F8E GetDiskFreeSpaceA, 0_2_028C7F8E
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 4_2_0040F474
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D6D84 CoCreateInstance, 0_2_028D6D84
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 4_2_0041B4A8
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 4_2_0041AA4A
Source: C:\Users\user\Desktop\SHEOrder-10524.exe File created: C:\Users\Public\Libraries\Null Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Mutant created: \Sessions\1\BaseNamedObjects\Rmc-V052BG
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Users\Public\Libraries\lhgtogaW.pif File created: C:\Users\user\AppData\Local\Temp\bhv1938.tmp Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\WagotghlO.bat" "
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Software\ 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Rmc-V052BG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Exe 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Exe 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Rmc-V052BG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Inj 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Inj 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: 8SG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: exepath 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: 8SG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: exepath 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: licence 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: dMG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PSG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Administrator 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: User 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: del 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: del 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: del 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Software\ 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Rmc-V052BG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Exe 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Exe 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Rmc-V052BG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Inj 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Inj 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: 8SG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: exepath 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: 8SG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: exepath 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: licence 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: dMG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PSG 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Administrator 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: User 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: del 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: del 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: del 4_2_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Software\ 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Rmc-V052BG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Exe 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Exe 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Rmc-V052BG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Inj 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Inj 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: 8SG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: exepath 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: 8SG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: exepath 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: licence 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: dMG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: PSG 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: Administrator 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: User 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: del 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: del 4_1_0040E9C5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Command line argument: del 4_1_0040E9C5
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wagotghl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\lhgtogaW.pif System information queried: HandleInformation Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000006.00000002.1779576996.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: lhgtogaW.pif, 00000004.00000002.4156997111.00000000273A0000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: lhgtogaW.pif, 00000005.00000003.1793696078.000000000220C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000005.00000002.1795170664.000000000220C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000005.00000003.1794124501.000000000220C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000005.00000003.1793767154.000000000220C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: SHEOrder-10524.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\SHEOrder-10524.exe File read: C:\Users\user\Desktop\SHEOrder-10524.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SHEOrder-10524.exe "C:\Users\user\Desktop\SHEOrder-10524.exe"
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\WagotghlO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\SHEOrder-10524.exe C:\\Users\\Public\\Libraries\\Wagotghl.PIF
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\zhrdpmieysz"
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\kbfnqftxmarjte"
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\mekgrxezaijovlxyi"
Source: unknown Process created: C:\Users\Public\Libraries\Wagotghl.PIF "C:\Users\Public\Libraries\Wagotghl.PIF"
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif
Source: unknown Process created: C:\Users\Public\Libraries\Wagotghl.PIF "C:\Users\Public\Libraries\Wagotghl.PIF"
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\WagotghlO.bat" " Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\SHEOrder-10524.exe C:\\Users\\Public\\Libraries\\Wagotghl.PIF Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\zhrdpmieysz" Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\kbfnqftxmarjte" Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\mekgrxezaijovlxyi" Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: eamsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ???y.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ???y.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ???y.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: SHEOrder-10524.exe Static file information: File size 1646592 > 1048576
Source: SHEOrder-10524.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x114c00
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source: Binary string: easinvoker.pdbH source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Unpacked PE file: 4.2.lhgtogaW.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
Source: C:\Users\Public\Libraries\lhgtogaW.pif Unpacked PE file: 5.2.lhgtogaW.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\Public\Libraries\lhgtogaW.pif Unpacked PE file: 6.2.lhgtogaW.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\Public\Libraries\lhgtogaW.pif Unpacked PE file: 7.2.lhgtogaW.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Unpacked PE file: 4.2.lhgtogaW.pif.400000.0.unpack
Yara detected DBatLoader
Source: Yara match File source: 0.2.SHEOrder-10524.exe.28c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1719936963.0000000002315000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1942171245.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1676709365.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Binary contains a suspicious time stamp
Source: lhgtogaW.pif.0.dr Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_028D7AC0
PE file contains sections with non-standard names
Source: easinvoker.exe.0.dr Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr Static PE information: section name: .xdata
Source: netutils.dll.0.dr Static PE information: section name: /4
Source: netutils.dll.0.dr Static PE information: section name: /19
Source: netutils.dll.0.dr Static PE information: section name: /31
Source: netutils.dll.0.dr Static PE information: section name: /45
Source: netutils.dll.0.dr Static PE information: section name: /57
Source: netutils.dll.0.dr Static PE information: section name: /70
Source: netutils.dll.0.dr Static PE information: section name: /81
Source: netutils.dll.0.dr Static PE information: section name: /92
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028EA2F4 push 028EA35Fh; ret 0_2_028EA357
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028C32F0 push eax; ret 0_2_028C332C
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028DD20C push ecx; mov dword ptr [esp], edx 0_2_028DD211
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028C6374 push 028C63CFh; ret 0_2_028C63C7
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028C6372 push 028C63CFh; ret 0_2_028C63C7
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028EA0AC push 028EA125h; ret 0_2_028EA11D
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D3028 push 028D3075h; ret 0_2_028D306D
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D3027 push 028D3075h; ret 0_2_028D306D
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028EA1F8 push 028EA288h; ret 0_2_028EA280
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028EA144 push 028EA1ECh; ret 0_2_028EA1E4
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028C673E push 028C6782h; ret 0_2_028C677A
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028C6740 push 028C6782h; ret 0_2_028C677A
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028CC528 push ecx; mov dword ptr [esp], edx 0_2_028CC52D
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028CD55C push 028CD588h; ret 0_2_028CD580
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028CCBA8 push 028CCD2Eh; ret 0_2_028CCD26
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D9B58 push 028D9B90h; ret 0_2_028D9B88
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028E9B70 push 028E9D8Eh; ret 0_2_028E9D86
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D78C8 push 028D7945h; ret 0_2_028D793D
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028CC8D6 push 028CCD2Eh; ret 0_2_028CCD26
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D6904 push 028D69AFh; ret 0_2_028D69A7
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D6902 push 028D69AFh; ret 0_2_028D69A7
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D5E38 push ecx; mov dword ptr [esp], edx 0_2_028D5E3A
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D2F1C push 028D2F92h; ret 0_2_028D2F8A
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028EDF18 push eax; ret 0_2_028EDFE8
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D7CA8 push 028D7CE0h; ret 0_2_028D7CD8
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D7CA6 push 028D7CE0h; ret 0_2_028D7CD8
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00457106 push ecx; ret 4_2_00457119
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0045B11A push esp; ret 4_2_0045B141
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00457A28 push eax; ret 4_2_00457A46
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00434E56 push ecx; ret 4_2_00434E69
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_274C2806 push ecx; ret 4_2_274C2819

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\SHEOrder-10524.exe File created: C:\Users\Public\Libraries\lhgtogaW.pif Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe File created: C:\Users\Public\Libraries\Wagotghl.PIF Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00406EB0 ShellExecuteW,URLDownloadToFileW, 4_2_00406EB0
Drops PE files
Source: C:\Users\user\Desktop\SHEOrder-10524.exe File created: C:\Users\Public\Libraries\lhgtogaW.pif Jump to dropped file
Source: C:\Users\user\Desktop\SHEOrder-10524.exe File created: C:\Users\Public\Libraries\easinvoker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe File created: C:\Users\Public\Libraries\Wagotghl.PIF Jump to dropped file
Source: C:\Users\user\Desktop\SHEOrder-10524.exe File created: C:\Users\Public\Libraries\netutils.dll Jump to dropped file
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 4_2_0041AA4A
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wagotghl Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wagotghl Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D9B94 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_028D9B94
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\Public\Libraries\Wagotghl.PIF Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040F7A7 Sleep,ExitProcess, 4_2_0040F7A7
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040F7A7 Sleep,ExitProcess, 4_1_0040F7A7
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 5_2_0040DD85
Contains functionality to enumerate running services
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 4_2_0041A748
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 4_1_0041A748
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Window / User API: threadDelayed 614 Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Window / User API: threadDelayed 9052 Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Window / User API: foregroundWindowGot 1762 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\Public\Libraries\lhgtogaW.pif Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7460 Thread sleep count: 130 > 30 Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7460 Thread sleep time: -65000s >= -30000s Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7464 Thread sleep count: 614 > 30 Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7464 Thread sleep time: -1842000s >= -30000s Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7464 Thread sleep count: 9052 > 30 Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7464 Thread sleep time: -27156000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028C58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_028C58CC
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_00409253
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 4_2_0041C291
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 4_2_0040C34D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_00409665
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 4_2_0040880C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040783C FindFirstFileW,FindNextFileW, 4_2_0040783C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 4_2_00419AF5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 4_2_0040BB30
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 4_2_0040BD37
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_274C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_274C10F1
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_1_00409253
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 4_1_0041C291
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 4_1_0040C34D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_1_00409665
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 4_1_0040880C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040783C FindFirstFileW,FindNextFileW, 4_1_0040783C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 4_1_00419AF5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 4_1_0040BB30
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 4_1_0040BD37
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0040AE51 FindFirstFileW,FindNextFileW, 5_2_0040AE51
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 4_2_00407C97
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_00418981 memset,GetSystemInfo, 5_2_00418981
Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008BF000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752355443.00000000241B3000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795698080.00000000241B3000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.00000000241B8000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795698080.00000000241B8000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752355443.00000000241B8000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.00000000241B8000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.000000000089F000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.000000000086A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bhv1938.tmp.5.dr Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000613000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000620000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW-spov-0006.spov-msedge.netLMEM@0
Source: bhv1938.tmp.5.dr Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
Source: C:\Users\user\Desktop\SHEOrder-10524.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\lhgtogaW.pif API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_004349F9
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 5_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028D7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_028D7AC0
Contains functionality to read the PEB
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004432B5 mov eax, dword ptr fs:[00000030h] 4_2_004432B5
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_274C4AB4 mov eax, dword ptr fs:[00000030h] 4_2_274C4AB4
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_004432B5 mov eax, dword ptr fs:[00000030h] 4_1_004432B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00411CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError, 4_2_00411CFE
Enables debug privileges
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_004349F9
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00434B47 SetUnhandledExceptionFilter, 4_2_00434B47
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0043BB22
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00434FDC
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_274C2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_274C2639
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_274C60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_274C60E2
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_274C2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_274C2B1C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_1_004349F9
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00434B47 SetUnhandledExceptionFilter, 4_1_00434B47
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_1_0043BB22
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_1_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_1_00434FDC

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Memory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Memory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 121A0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Memory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Memory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 121A0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Memory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Wagotghl.PIF Memory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 1E060000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 4_2_004180EF
Maps a DLL or memory area into another process
Source: C:\Users\Public\Libraries\lhgtogaW.pif Section loaded: NULL target: C:\Users\Public\Libraries\lhgtogaW.pif protection: execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Section loaded: NULL target: C:\Users\Public\Libraries\lhgtogaW.pif protection: execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Section loaded: NULL target: C:\Users\Public\Libraries\lhgtogaW.pif protection: execute and read and write Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Section unmapped: C:\Users\Public\Libraries\lhgtogaW.pif base address: 400000 Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Section unmapped: C:\Users\Public\Libraries\lhgtogaW.pif base address: 400000 Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Section unmapped: C:\Users\Public\Libraries\lhgtogaW.pif base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Memory written: C:\Users\Public\Libraries\lhgtogaW.pif base: 222008 Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Memory written: C:\Users\Public\Libraries\lhgtogaW.pif base: 36F008 Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Memory written: C:\Users\Public\Libraries\lhgtogaW.pif base: 271008
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 4_2_00412117
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 4_1_00412117
Contains functionality to simulate mouse events
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00419627 mouse_event, 4_2_00419627
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\zhrdpmieysz" Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\kbfnqftxmarjte" Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\mekgrxezaijovlxyi" Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif Jump to behavior
Source: C:\Users\Public\Libraries\Wagotghl.PIF Process created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif
Source: lhgtogaW.pif, 00000004.00000003.1795698080.000000002419F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerh
Source: lhgtogaW.pif, 00000004.00000003.1795698080.000000002419F000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002419F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: lhgtogaW.pif, 00000004.00000002.4155660149.00000000241B8000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002419F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerBG\
Source: lhgtogaW.pif, 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerW
Source: lhgtogaW.pif, 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: lhgtogaW.pif, 00000004.00000003.1752355443.00000000241A6000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.00000000241A6000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.00000000241A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_00434C52 cpuid 4_2_00434C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 0_2_028DD5D0
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_028C5A90
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: GetLocaleInfoA, 0_2_028CA780
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: GetLocaleInfoA, 0_2_028CA7CC
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_028C5B9C
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 0_2_028DD5D0
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 0_2_028E5FA0
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoA, 4_2_0040F8D1
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: EnumSystemLocalesW, 4_2_00452036
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_004520C3
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoW, 4_2_00452313
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: EnumSystemLocalesW, 4_2_00448404
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_0045243C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoW, 4_2_00452543
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_00452610
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoW, 4_2_004488ED
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_00451CD8
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: EnumSystemLocalesW, 4_2_00451F50
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: EnumSystemLocalesW, 4_2_00451F9B
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoA, 4_1_0040F8D1
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: EnumSystemLocalesW, 4_1_00452036
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_1_004520C3
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoW, 4_1_00452313
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: EnumSystemLocalesW, 4_1_00448404
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_1_0045243C
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoW, 4_1_00452543
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_1_00452610
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: GetLocaleInfoW, 4_1_004488ED
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_1_00451CD8
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: EnumSystemLocalesW, 4_1_00451F50
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: EnumSystemLocalesW, 4_1_00451F9B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\Libraries\lhgtogaW.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028C91C8 GetLocalTime, 0_2_028C91C8
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_0041B60D GetComputerNameExW,GetUserNameW, 4_2_0041B60D
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: 4_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 4_2_004493AD
Source: C:\Users\user\Desktop\SHEOrder-10524.exe Code function: 0_2_028CB748 GetVersionExA, 0_2_028CB748
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: quhlpsvc.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: avgamsvr.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: TMBMSRV.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: Vsserv.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: avgupsvc.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: avgemc.exe
Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4156653259.0000000025BBF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 4_2_0040BA12
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 4_1_0040BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 4_2_0040BB30
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: \key3.db 4_2_0040BB30
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 4_1_0040BB30
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: \key3.db 4_1_0040BB30
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\Libraries\lhgtogaW.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7548, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\Public\Libraries\lhgtogaW.pif Mutex created: \Sessions\1\BaseNamedObjects\Rmc-V052BG Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Mutex created: \Sessions\1\BaseNamedObjects\Rmc-V052BG Jump to behavior
Source: C:\Users\Public\Libraries\lhgtogaW.pif Mutex created: \Sessions\1\BaseNamedObjects\Rmc-V052BG
Yara detected Remcos RAT
Source: Yara match File source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4156653259.0000000025BBF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: cmd.exe 4_2_0040569A
Source: C:\Users\Public\Libraries\lhgtogaW.pif Code function: cmd.exe 4_1_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431184 Sample: SHEOrder-10524.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 55 web.fe.1drv.com 2->55 57 sn-files.fe.1drv.com 2->57 59 5 other IPs or domains 2->59 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 13 other signatures 2->69 8 SHEOrder-10524.exe 1 7 2->8         started        13 Wagotghl.PIF 2->13         started        15 Wagotghl.PIF 2->15         started        signatures3 process4 dnsIp5 61 dual-spov-0006.spov-msedge.net 13.107.139.11, 443, 49730, 49731 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->61 43 C:\Users\Public\Libraries\netutils.dll, PE32+ 8->43 dropped 45 C:\Users\Public\Libraries\lhgtogaW.pif, PE32 8->45 dropped 47 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 8->47 dropped 49 C:\Users\Public\Wagotghl.url, MS 8->49 dropped 81 Drops PE files with a suspicious file extension 8->81 83 Writes to foreign memory regions 8->83 85 Allocates memory in foreign processes 8->85 17 lhgtogaW.pif 3 16 8->17         started        22 extrac32.exe 1 8->22         started        24 cmd.exe 1 8->24         started        87 Multi AV Scanner detection for dropped file 13->87 89 Machine Learning detection for dropped file 13->89 91 Sample uses process hollowing technique 13->91 26 lhgtogaW.pif 13->26         started        28 lhgtogaW.pif 15->28         started        file6 signatures7 process8 dnsIp9 51 91.223.3.151, 4508, 49733, 49734 PL-SKYTECH-ASPL Poland 17->51 53 geoplugin.net 178.237.33.50, 49735, 80 ATOM86-ASATOM86NL Netherlands 17->53 39 C:\ProgramData\remcos\logs.dat, data 17->39 dropped 71 Contains functionality to bypass UAC (CMSTPLUA) 17->71 73 Detected unpacking (changes PE section rights) 17->73 75 Detected Remcos RAT 17->75 79 9 other signatures 17->79 30 lhgtogaW.pif 1 17->30         started        33 lhgtogaW.pif 1 17->33         started        35 lhgtogaW.pif 2 17->35         started        41 C:\Users\Public\Libraries\Wagotghl.PIF, PE32 22->41 dropped 77 Drops PE files with a suspicious file extension 22->77 37 conhost.exe 24->37         started        file10 signatures11 process12 signatures13 93 Tries to steal Instant Messenger accounts or passwords 30->93 95 Tries to steal Mail credentials (via file / registry access) 30->95 97 Tries to harvest and steal browser information (history, passwords, etc) 33->97
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.107.139.11
 dual-spov-0006.spov-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
91.223.3.151
 unknown Poland
201814 PL-SKYTECH-ASPL true

Contacted Domains

Name IP Active
dual-spov-0006.spov-msedge.net 13.107.139.11 true
geoplugin.net 178.237.33.50 true
onedrive.live.com unknown unknown
bnaqzw.sn.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://onedrive.live.com/download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc false
    		high
    91.223.3.151 true
    • Avira URL Cloud: safe
    		 unknown
    http://geoplugin.net/json.gp true
    • URL Reputation: phishing
    		 unknown