Windows Analysis Report
cKAfpUFqZ7.exe

Overview

General Information

Sample name: cKAfpUFqZ7.exe
renamed because original name is a hash value
Original sample name: 28d8408ad6ae09d1d703b0b8ca78d670N.exe
Analysis ID: 1472669
MD5: 28d8408ad6ae09d1d703b0b8ca78d670
SHA1: 75645b81c0b05b4527c5cafeb1f5cd5c21b3f475
SHA256: 1da8b868bd5d60050d40adae98482f1310d3679948dd1cee7a1b4a8ef9a396f0
Tags: exeRATRemcos
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected Remcos RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection

barindex
Source: cKAfpUFqZ7.exe Avira: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl_signed.exe Avira: detection malicious, Label: HEUR/AGEN.1350963
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Avira: detection malicious, Label: HEUR/AGEN.1350963
Source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack Malware Configuration Extractor: Remcos {"Host:Port:Password": "213.183.58.19:4000", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_sccafsoidz", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "read.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "CastC"}
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe ReversingLabs: Detection: 86%
Source: cKAfpUFqZ7.exe ReversingLabs: Detection: 86%
Source: Yara match File source: 3.2.sbietrcl.exe.4558a50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sbietrcl.exe.3f98ae0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sbietrcl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.sbietrcl.exe.4558a50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.sbietrcl.exe.3bda520.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sbietrcl.exe.3f98ae0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sbietrcl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2216897108.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2299691163.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2093756977.0000000004558000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2293718713.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2213783406.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2091212670.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sbietrcl.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sbietrcl.exe PID: 7324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sbietrcl.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sbietrcl.exe PID: 7684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sbietrcl.exe PID: 7736, type: MEMORYSTR
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.2% probability
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl_signed.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Joe Sandbox ML: detected
Source: cKAfpUFqZ7.exe Joe Sandbox ML: detected
Source: cKAfpUFqZ7.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: cKAfpUFqZ7.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Aditza\Desktop\SignAssembly\SignAssembly\obj\Release\SignAssembly.pdb source: cKAfpUFqZ7.exe, 00000000.00000002.2074969632.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, cKAfpUFqZ7.exe, 00000000.00000002.2080596937.0000000006700000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: mscorsvw.pdb source: cKAfpUFqZ7.exe, 00000000.00000002.2080364798.0000000006600000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorsvw.pdbD source: cKAfpUFqZ7.exe, 00000000.00000002.2080364798.0000000006600000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_00402C45 _EH_prolog,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hst 7_2_00402C45
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040BC9B ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 7_2_0040BC9B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_00403183 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allo 7_2_00403183
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040F234 SetFileAttributesA,FindFirstFileA,FindNextFileA,RemoveDirectoryA,SetFileAttributesA,DeleteFileA,GetLastError,FindClose,RemoveDirectoryA,FindClose, 7_2_0040F234
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_00405AFB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 7_2_00405AFB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_ 7_2_0040A71E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_004057B6 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 7_2_004057B6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040BEA2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$ 7_2_0040BEA2

Networking

barindex
Source: Traffic Snort IDS: 2829308 ETPRO TROJAN MSIL/Remcos Variant CnC Checkin 192.168.2.5:49709 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2825929 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin 192.168.2.5:49709 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2829308 ETPRO TROJAN MSIL/Remcos Variant CnC Checkin 192.168.2.5:49717 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2825929 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin 192.168.2.5:49717 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2829308 ETPRO TROJAN MSIL/Remcos Variant CnC Checkin 192.168.2.5:49719 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2825929 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin 192.168.2.5:49719 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2829308 ETPRO TROJAN MSIL/Remcos Variant CnC Checkin 192.168.2.5:49720 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2825929 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin 192.168.2.5:49720 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2829308 ETPRO TROJAN MSIL/Remcos Variant CnC Checkin 192.168.2.5:49721 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2825929 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin 192.168.2.5:49721 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2829308 ETPRO TROJAN MSIL/Remcos Variant CnC Checkin 192.168.2.5:49722 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2825929 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin 192.168.2.5:49722 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2829308 ETPRO TROJAN MSIL/Remcos Variant CnC Checkin 192.168.2.5:49723 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2825929 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin 192.168.2.5:49723 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2829308 ETPRO TROJAN MSIL/Remcos Variant CnC Checkin 192.168.2.5:49724 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2825929 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin 192.168.2.5:49724 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2829308 ETPRO TROJAN MSIL/Remcos Variant CnC Checkin 192.168.2.5:49725 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2825929 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin 192.168.2.5:49725 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2829308 ETPRO TROJAN MSIL/Remcos Variant CnC Checkin 192.168.2.5:49726 -> 213.183.58.19:4000
Source: Traffic Snort IDS: 2825929 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin 192.168.2.5:49726 -> 213.183.58.19:4000
Source: Malware configuration extractor URLs: 213.183.58.19
Source: global traffic TCP traffic: 192.168.2.5:49709 -> 213.183.58.19:4000
Source: Joe Sandbox View ASN Name: MELBICOM-EU-ASMelbikomasUABNL MELBICOM-EU-ASMelbikomasUABNL
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 213.183.58.19
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040221C ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 7_2_0040221C

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [Esc] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [Enter] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [Tab] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [Down] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [Right] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [Up] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [Left] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [End] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [F2] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [F1] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [Del] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: [Del] 7_2_004043BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_00403877 SetWindowsHookExA 0000000D,0040385C,00000000 7_2_00403877
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_004050FC OpenClipboard,GetClipboardData,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z, 7_2_004050FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_ 7_2_0040A71E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_004050FC OpenClipboard,GetClipboardData,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z, 7_2_004050FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040D71E CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,StretchBlt,GetObjectA,LocalAlloc,GlobalAlloc,GetDIBits,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 7_2_0040D71E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_004038DB GetKeyState,GetKeyState,GetKeyState,CallNextHookEx, 7_2_004038DB

E-Banking Fraud

barindex
Source: Yara match File source: 3.2.sbietrcl.exe.4558a50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sbietrcl.exe.3f98ae0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sbietrcl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.sbietrcl.exe.4558a50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.sbietrcl.exe.3bda520.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sbietrcl.exe.3f98ae0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sbietrcl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2216897108.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2299691163.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2093756977.0000000004558000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2293718713.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2213783406.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2091212670.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sbietrcl.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sbietrcl.exe PID: 7324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sbietrcl.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sbietrcl.exe PID: 7684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sbietrcl.exe PID: 7736, type: MEMORYSTR

System Summary

barindex
Source: 3.2.sbietrcl.exe.4558a50.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.sbietrcl.exe.4558a50.5.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 3.2.sbietrcl.exe.4558a50.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.sbietrcl.exe.4558a50.5.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 8.2.sbietrcl.exe.3f98ae0.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.sbietrcl.exe.3f98ae0.2.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 8.2.sbietrcl.exe.3f98ae0.2.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.sbietrcl.exe.3f98ae0.2.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.sbietrcl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.sbietrcl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.2.sbietrcl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.sbietrcl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.sbietrcl.exe.4558a50.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.sbietrcl.exe.4558a50.5.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 3.2.sbietrcl.exe.4558a50.5.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.sbietrcl.exe.4558a50.5.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 6.2.sbietrcl.exe.3bda520.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.sbietrcl.exe.3bda520.1.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 6.2.sbietrcl.exe.3bda520.1.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.sbietrcl.exe.3bda520.1.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 8.2.sbietrcl.exe.3f98ae0.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.sbietrcl.exe.3f98ae0.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 8.2.sbietrcl.exe.3f98ae0.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.sbietrcl.exe.3f98ae0.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.sbietrcl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.sbietrcl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.2.sbietrcl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.sbietrcl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000006.00000002.2216897108.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2299691163.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000003.00000002.2093756977.0000000004558000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2293718713.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2213783406.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2091212670.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 3_2_06FD0C06 NtQuerySystemInformation, 3_2_06FD0C06
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 3_2_06FD0BDE NtQuerySystemInformation, 3_2_06FD0BDE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04E40C06 NtQuerySystemInformation, 6_2_04E40C06
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04E40BDE NtQuerySystemInformation, 6_2_04E40BDE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 8_2_06AA0C06 NtQuerySystemInformation, 8_2_06AA0C06
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 8_2_06AA0BDE NtQuerySystemInformation, 8_2_06AA0BDE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_ 7_2_0040A71E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: String function: 0040FC1A appears 54 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: String function: 0040FCBA appears 34 times
Source: cKAfpUFqZ7.exe Static PE information: invalid certificate
Source: cKAfpUFqZ7.exe Binary or memory string: OriginalFilename vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2075860442.0000000003E21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAMD Processor.exe< vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2079328874.0000000005210000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDecData.dll0 vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2080364798.0000000006600000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorsvw.exeT vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2074969632.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAddtoregistry.dll< vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000000.1997094223.0000000000389000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAMD Processor.exe< vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2079353138.0000000005220000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameVaultSvc.exe4 vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2079995319.00000000064D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameimg2data.dll2 vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2081156287.00000000069B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAddtoregistry.dll< vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2075860442.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDecData.dll0 vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2074471303.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2075860442.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVaultSvc.exe4 vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe, 00000000.00000002.2075860442.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAMD Processor.exe< vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe Binary or memory string: OriginalFilenameDecData.dll0 vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe Binary or memory string: OriginalFilenameAMD Processor.exe< vs cKAfpUFqZ7.exe
Source: cKAfpUFqZ7.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 3.2.sbietrcl.exe.4558a50.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.sbietrcl.exe.4558a50.5.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 3.2.sbietrcl.exe.4558a50.5.raw.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 3.2.sbietrcl.exe.4558a50.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 8.2.sbietrcl.exe.3f98ae0.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.sbietrcl.exe.3f98ae0.2.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 8.2.sbietrcl.exe.3f98ae0.2.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 8.2.sbietrcl.exe.3f98ae0.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.sbietrcl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.sbietrcl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.2.sbietrcl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.sbietrcl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 6.2.sbietrcl.exe.3bda520.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.sbietrcl.exe.4558a50.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.sbietrcl.exe.4558a50.5.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 3.2.sbietrcl.exe.4558a50.5.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 3.2.sbietrcl.exe.4558a50.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 6.2.sbietrcl.exe.3bda520.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.sbietrcl.exe.3bda520.1.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 6.2.sbietrcl.exe.3bda520.1.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 6.2.sbietrcl.exe.3bda520.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 8.2.sbietrcl.exe.3f98ae0.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.sbietrcl.exe.3f98ae0.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 8.2.sbietrcl.exe.3f98ae0.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 8.2.sbietrcl.exe.3f98ae0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.sbietrcl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.sbietrcl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.2.sbietrcl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 7.2.sbietrcl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000006.00000002.2216897108.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000008.00000002.2299691163.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000003.00000002.2093756977.0000000004558000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000008.00000002.2293718713.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000006.00000002.2213783406.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000003.00000002.2091212670.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: cKAfpUFqZ7.exe, c05613db034111f07cae3e629abee8ffb.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: sbietrcl.exe.0.dr, c05613db034111f07cae3e629abee8ffb.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: sbietrcl_signed.exe.0.dr, c05613db034111f07cae3e629abee8ffb.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 0.2.cKAfpUFqZ7.exe.3b618f8.4.raw.unpack, .cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.cKAfpUFqZ7.exe.5210000.8.raw.unpack, .cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.cKAfpUFqZ7.exe.5220000.9.raw.unpack, jO.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.cKAfpUFqZ7.exe.5220000.9.raw.unpack, jO.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.cKAfpUFqZ7.exe.5220000.9.raw.unpack, nC.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.cKAfpUFqZ7.exe.5220000.9.raw.unpack, nC.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/5@0/1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 3_2_06FD01B2 AdjustTokenPrivileges, 3_2_06FD01B2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 3_2_06FD017B AdjustTokenPrivileges, 3_2_06FD017B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04E401B2 AdjustTokenPrivileges, 6_2_04E401B2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04E4017B AdjustTokenPrivileges, 6_2_04E4017B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040CA41 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 7_2_0040CA41
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 8_2_06AA01B2 AdjustTokenPrivileges, 8_2_06AA01B2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 8_2_06AA017B AdjustTokenPrivileges, 8_2_06AA017B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_004081B7 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 7_2_004081B7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_00408150 FindResourceA,LoadResource,LockResource,SizeofResource, 7_2_00408150
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sbietrcl.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Mutant created: \Sessions\1\BaseNamedObjects\remcos_sccafsoidz
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe File created: C:\Users\user\AppData\Local\Temp\mscorsvw1.exe Jump to behavior
Source: cKAfpUFqZ7.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cKAfpUFqZ7.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cKAfpUFqZ7.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe File read: C:\Users\user\Desktop\cKAfpUFqZ7.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cKAfpUFqZ7.exe "C:\Users\user\Desktop\cKAfpUFqZ7.exe"
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe" Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Section loaded: netutils.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: cKAfpUFqZ7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: cKAfpUFqZ7.exe Static file information: File size 2086464 > 1048576
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: cKAfpUFqZ7.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Aditza\Desktop\SignAssembly\SignAssembly\obj\Release\SignAssembly.pdb source: cKAfpUFqZ7.exe, 00000000.00000002.2074969632.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, cKAfpUFqZ7.exe, 00000000.00000002.2080596937.0000000006700000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: mscorsvw.pdb source: cKAfpUFqZ7.exe, 00000000.00000002.2080364798.0000000006600000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorsvw.pdbD source: cKAfpUFqZ7.exe, 00000000.00000002.2080364798.0000000006600000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: 0.2.cKAfpUFqZ7.exe.5220000.9.raw.unpack, nC.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: cKAfpUFqZ7.exe, c407e2c3075249fb771a49a8bfa874d4f.cs .Net Code: Ximagurizhe System.AppDomain.Load(byte[])
Source: sbietrcl.exe.0.dr, c407e2c3075249fb771a49a8bfa874d4f.cs .Net Code: Ximagurizhe System.AppDomain.Load(byte[])
Source: sbietrcl_signed.exe.0.dr, c407e2c3075249fb771a49a8bfa874d4f.cs .Net Code: Ximagurizhe System.AppDomain.Load(byte[])
Source: 0.2.cKAfpUFqZ7.exe.5220000.9.raw.unpack, Uw.cs .Net Code: dn System.AppDomain.Load(byte[])
Source: 0.2.cKAfpUFqZ7.exe.5220000.9.raw.unpack, rs.cs .Net Code: EE System.AppDomain.Load(byte[])
Source: 0.2.cKAfpUFqZ7.exe.5220000.9.raw.unpack, gA.cs .Net Code: NG System.AppDomain.Load(byte[])
Source: 0.2.cKAfpUFqZ7.exe.5220000.9.raw.unpack, yN.cs .Net Code: bS6 System.AppDomain.Load(byte[])
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040E4C4 LoadLibraryA,GetProcAddress, 7_2_0040E4C4
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_05226EAF push ss; retf 0002h 0_2_05227083
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C41CE1 push 68EC04C3h; ret 0_2_04C41CE6
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C40491 push cs; ret 0_2_04C40492
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C40493 push cs; ret 0_2_04C4049A
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C47CAF pushfd ; ret 0_2_04C47CB2
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C47CAB pushfd ; ret 0_2_04C47CAE
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C40451 push cs; ret 0_2_04C40452
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C40470 push cs; ret 0_2_04C4047A
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C40401 push cs; ret 0_2_04C40402
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C40428 push cs; ret 0_2_04C4042A
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C44FCE push edx; iretd 0_2_04C44FCF
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C41250 push esp; ret 0_2_04C41251
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Code function: 0_2_04C403DB push cs; ret 0_2_04C403E2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 3_2_01259EDE push ecx; retf 3_2_01259F19
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 3_2_053C4FCE push edx; iretd 3_2_053C4FCF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_009669F5 push esp; iretd 6_2_009669FD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_0096681C push 12EC0096h; iretd 6_2_00966822
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D01CE1 push 68EC04CFh; iretd 6_2_04D01CE6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D00491 push cs; iretd 6_2_04D00492
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D00493 push cs; iretd 6_2_04D0049A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D07CAB pushfd ; iretd 6_2_04D07CAE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D07CAF pushfd ; iretd 6_2_04D07CB2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D00451 push cs; iretd 6_2_04D00452
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D00470 push cs; iretd 6_2_04D0047A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D00401 push cs; iretd 6_2_04D00402
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D00428 push cs; iretd 6_2_04D0042A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D04FCE push edx; iretd 6_2_04D04FCF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D01250 push esp; iretd 6_2_04D01251
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 6_2_04D003DB push cs; iretd 6_2_04D003E2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040FCF0 push eax; ret 7_2_0040FD1E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 8_2_00C19EE1 push ecx; retf 8_2_00C19F19
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_ 7_2_0040A71E
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Jump to dropped file
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl_signed.exe Jump to dropped file
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Application Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Application Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe File opened: C:\Users\user\Desktop\cKAfpUFqZ7.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Code function: 7_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, 7_2_00407D38
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cKAfpUFqZ7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe Process information set: NOOPENFILEERRORBOX