Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe

Overview

General Information

Sample name:5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe
Analysis ID:1472791
MD5:472052db7a344b5dba08aec26d6bdf6f
SHA1:72d44235387e2ce08665b8976424e802a672c65f
SHA256:5aef1b0e1673044cc7a46a3ea02e4caf2ec853acdf50e3d9a72aa9ac0fb1f88f
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "areaseguras.con-ip.com:2707:1", "Assigned name": "spacolombia2707RAPTOR", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc121455011-7TOVMS", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6aaa8:$a1: Remcos restarted by watchdog!
      • 0x6b020:$a3: %02i:%02i:%02i:%03i
      5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeREMCOS_RAT_variantsunknownunknown
      • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x64b6c:$str_b2: Executing file:
      • 0x65bec:$str_b3: GetDirectListeningPort
      • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x65718:$str_b7: \update.vbs
      • 0x64b94:$str_b9: Downloaded file:
      • 0x64b80:$str_b10: Downloading file:
      • 0x64c24:$str_b12: Failed to upload file:
      • 0x65bb4:$str_b13: StartForward
      • 0x65bd4:$str_b14: StopForward
      • 0x65670:$str_b15: fso.DeleteFile "
      • 0x65604:$str_b16: On Error Resume Next
      • 0x656a0:$str_b17: fso.DeleteFolder "
      • 0x64c14:$str_b18: Uploaded file:
      • 0x64bd4:$str_b19: Unable to delete:
      • 0x65638:$str_b20: while fso.FileExists("
      • 0x650b1:$str_c0: [Firefox StoredLogins not found]
      5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6497c:$s1: CoGetObject
      • 0x64990:$s1: CoGetObject
      • 0x649ac:$s1: CoGetObject
      • 0x6e938:$s1: CoGetObject
      • 0x6493c:$s2: Elevation:Administrator!new:

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\loggsdSSC\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x134a8:$a1: Remcos restarted by watchdog!
            • 0x13a20:$a3: %02i:%02i:%02i:%03i
            00000000.00000000.1734672534.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000000.1734672534.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                Click to see the 5 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6aaa8:$a1: Remcos restarted by watchdog!
                    • 0x6b020:$a3: %02i:%02i:%02i:%03i
                    0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64b6c:$str_b2: Executing file:
                    • 0x65bec:$str_b3: GetDirectListeningPort
                    • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x65718:$str_b7: \update.vbs
                    • 0x64b94:$str_b9: Downloaded file:
                    • 0x64b80:$str_b10: Downloading file:
                    • 0x64c24:$str_b12: Failed to upload file:
                    • 0x65bb4:$str_b13: StartForward
                    • 0x65bd4:$str_b14: StopForward
                    • 0x65670:$str_b15: fso.DeleteFile "
                    • 0x65604:$str_b16: On Error Resume Next
                    • 0x656a0:$str_b17: fso.DeleteFolder "
                    • 0x64c14:$str_b18: Uploaded file:
                    • 0x64bd4:$str_b19: Unable to delete:
                    • 0x65638:$str_b20: while fso.FileExists("
                    • 0x650b1:$str_c0: [Firefox StoredLogins not found]
                    0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                    • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • 0x6497c:$s1: CoGetObject
                    • 0x64990:$s1: CoGetObject
                    • 0x649ac:$s1: CoGetObject
                    • 0x6e938:$s1: CoGetObject
                    • 0x6493c:$s2: Elevation:Administrator!new:
                    Click to see the 5 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: areaseguras.con-ip.comAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 00000000.00000002.4191170000.00000000005FE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "areaseguras.con-ip.com:2707:1", "Assigned name": "spacolombia2707RAPTOR", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc121455011-7TOVMS", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                    Multi AV Scanner detection for domain / URL
                    Source: areaseguras.con-ip.comVirustotal: Detection: 10%Perma Link
                    Source: areaseguras.con-ip.comVirustotal: Detection: 10%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeVirustotal: Detection: 79%Perma Link
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1734672534.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4191170000.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe PID: 7160, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\loggsdSSC\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00433837
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_1e0e93a8-9

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1734672534.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe PID: 7160, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004074FD _wcslen,CoGetObject,0_2_004074FD
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: areaseguras.con-ip.com
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 86.104.72.183:2707
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: TELE-ROM-ASstrAleeaPaciiBlB5Ap16RO TELE-ROM-ASstrAleeaPaciiBlB5Ap16RO
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B380
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: areaseguras.con-ip.com
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000003.1751014820.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000003.1751014820.0000000000670000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000641000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000003.1751014820.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000003.1751014820.0000000000641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000641000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000003.1751014820.0000000000641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp6fgQ
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000641000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000003.1751014820.0000000000641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp=Q
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000003.1751014820.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000662000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000000_2_0040A2B8
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168C1
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A3E0

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1734672534.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4191170000.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe PID: 7160, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\loggsdSSC\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041C9E2 SystemParametersInfoW,0_2_0041C9E2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000000.00000000.1734672534.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe PID: 7160, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_004132D2
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB09
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BB35
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167B4
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0043E0CC0_2_0043E0CC
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041F0FA0_2_0041F0FA
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004541590_2_00454159
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004381680_2_00438168
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004461F00_2_004461F0
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0043E2FB0_2_0043E2FB
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0045332B0_2_0045332B
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0042739D0_2_0042739D
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004374E60_2_004374E6
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0043E5580_2_0043E558
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004387700_2_00438770
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004378FE0_2_004378FE
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004339460_2_00433946
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0044D9C90_2_0044D9C9
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00427A460_2_00427A46
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041DB620_2_0041DB62
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00427BAF0_2_00427BAF
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00437D330_2_00437D33
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00435E5E0_2_00435E5E
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00426E0E0_2_00426E0E
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0043DE9D0_2_0043DE9D
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00413FCA0_2_00413FCA
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00436FEA0_2_00436FEA
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: String function: 00434E10 appears 54 times
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: String function: 00434770 appears 42 times
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: String function: 00401E65 appears 34 times
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000000.00000000.1734672534.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe PID: 7160, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@3/2
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00417952
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F474
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B4A8
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].jsonJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc121455011-7TOVMS
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: Software\0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: Exe0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: Exe0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: Inj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: Inj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: 8SG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: exepath0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: 8SG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: exepath0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: licence0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: dMG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: PSG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: Administrator0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: User0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: del0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: del0_2_0040E9C5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCommand line argument: del0_2_0040E9C5
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeVirustotal: Detection: 79%
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00457106 push ecx; ret 0_2_00457119
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00457A28 push eax; ret 0_2_00457A46
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00434E56 push ecx; ret 0_2_00434E69
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW,0_2_00406EB0
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040F7A7 Sleep,ExitProcess,0_2_0040F7A7
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A748
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeWindow / User API: threadDelayed 5167Jump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeWindow / User API: threadDelayed 4304Jump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeWindow / User API: foregroundWindowGot 1763Jump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe TID: 2720Thread sleep count: 248 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe TID: 2720Thread sleep time: -124000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe TID: 2504Thread sleep count: 5167 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe TID: 2504Thread sleep time: -15501000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe TID: 2504Thread sleep count: 4304 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe TID: 2504Thread sleep time: -12912000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.000000000067B000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000003.1751099377.000000000067B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.000000000067B000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000003.1751099377.000000000067B000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.00000000005FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeAPI call chain: ExitProcess graph end nodegraph_0-48207
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h]0_2_004432B5
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00412077 GetProcessHeap,HeapFree,0_2_00412077
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00434B47 SetUnhandledExceptionFilter,0_2_00434B47
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB22
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434FDC
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412117
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00419627 mouse_event,0_2_00419627
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000003.1751014820.0000000000670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerK7,
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000670000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [2024/07/13 22:17:04 Program Manager]
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerEM
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerinutes
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3?|
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageri?
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerK?
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd7I
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managero7@
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000670000.00000004.00000020.00020000.00000000.sdmp, 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd?
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerF?
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerz7{
                    Source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, 00000000.00000002.4191170000.0000000000670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managers7d
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00434C52 cpuid 0_2_00434C52
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: GetLocaleInfoA,0_2_0040F8D1
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: EnumSystemLocalesW,0_2_00452036
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004520C3
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: GetLocaleInfoW,0_2_00452313
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: EnumSystemLocalesW,0_2_00448404
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0045243C
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: GetLocaleInfoW,0_2_00452543
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452610
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: GetLocaleInfoW,0_2_004488ED
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451CD8
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: EnumSystemLocalesW,0_2_00451F50
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: EnumSystemLocalesW,0_2_00451F9B
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_0041B60D GetComputerNameExW,GetUserNameW,0_2_0041B60D
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: 0_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_004493AD
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1734672534.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4191170000.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe PID: 7160, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\loggsdSSC\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA12
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB30
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: \key3.db0_2_0040BB30

                    Remote Access Functionality

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4190979631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1734672534.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4191170000.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe PID: 7160, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\loggsdSSC\logs.dat, type: DROPPED
                    Source: C:\Users\user\Desktop\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeCode function: cmd.exe0_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts12
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Bypass User Account Control                    		2
                    Obfuscated Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol211
                    Input Capture                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		Logon Script (Windows)1
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Windows Service                    		1
                    Bypass User Account Control                    		NTDS2
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets23
                    System Information Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials21
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation                    		DCSync1
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc Filesystem2
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.