Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
4_2_0041A01B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
4_2_0040B28E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
4_2_0040838E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
4_2_004087A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
4_2_00407848 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_004068CD FindFirstFileW,FindNextFileW, |
4_2_004068CD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0044BA59 FindFirstFileExA, |
4_2_0044BA59 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
4_2_0040AA71 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, |
4_2_00417AAB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
4_2_0040AC78 |
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.WBQXywne4N.exe.4820f92.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.WBQXywne4N.exe.4820f92.3.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 00000000.00000002.1819649058.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 00000000.00000002.1819649058.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.1819649058.00000000045EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.1819649058.0000000004820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: WBQXywne4N.exe PID: 7508, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: AddInProcess32.exe PID: 7944, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_03140BA8 |
0_2_03140BA8 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_03141AB8 |
0_2_03141AB8 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_03140890 |
0_2_03140890 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_032FC7D0 |
0_2_032FC7D0 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_032F7268 |
0_2_032F7268 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_032F5297 |
0_2_032F5297 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_032F5600 |
0_2_032F5600 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_032F7850 |
0_2_032F7850 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_032FC7C1 |
0_2_032FC7C1 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_032F4847 |
0_2_032F4847 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_05CCD0BC |
0_2_05CCD0BC |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_06871C00 |
0_2_06871C00 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_06871BD0 |
0_2_06871BD0 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_06870007 |
0_2_06870007 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_06870040 |
0_2_06870040 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_06B247A8 |
0_2_06B247A8 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_06B2E6BF |
0_2_06B2E6BF |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_06B2E6D0 |
0_2_06B2E6D0 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_06B24798 |
0_2_06B24798 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_07E851D8 |
0_2_07E851D8 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_07E80520 |
0_2_07E80520 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_07E8050F |
0_2_07E8050F |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_087CF051 |
0_2_087CF051 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_087C0040 |
0_2_087C0040 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_087C47B8 |
0_2_087C47B8 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08853CB4 |
0_2_08853CB4 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_0885ECB0 |
0_2_0885ECB0 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_0885BDB8 |
0_2_0885BDB8 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_0885E2E8 |
0_2_0885E2E8 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08852615 |
0_2_08852615 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_0885CE53 |
0_2_0885CE53 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_0885DA70 |
0_2_0885DA70 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_0885FB60 |
0_2_0885FB60 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08852B70 |
0_2_08852B70 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_0885DA3D |
0_2_0885DA3D |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08852B0D |
0_2_08852B0D |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08852B60 |
0_2_08852B60 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE58B0 |
0_2_08BE58B0 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BEA9C8 |
0_2_08BEA9C8 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE2178 |
0_2_08BE2178 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE7AD0 |
0_2_08BE7AD0 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BECF38 |
0_2_08BECF38 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE7718 |
0_2_08BE7718 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE58A1 |
0_2_08BE58A1 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE68C8 |
0_2_08BE68C8 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE1478 |
0_2_08BE1478 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE2C78 |
0_2_08BE2C78 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE1468 |
0_2_08BE1468 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE0998 |
0_2_08BE0998 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE0988 |
0_2_08BE0988 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE2D28 |
0_2_08BE2D28 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE2168 |
0_2_08BE2168 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE1D58 |
0_2_08BE1D58 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE1D48 |
0_2_08BE1D48 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BEB238 |
0_2_08BEB238 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE0258 |
0_2_08BE0258 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE1FD0 |
0_2_08BE1FD0 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE97D0 |
0_2_08BE97D0 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE1FC0 |
0_2_08BE1FC0 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE1B20 |
0_2_08BE1B20 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE1B10 |
0_2_08BE1B10 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE7708 |
0_2_08BE7708 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_08BE1768 |
0_2_08BE1768 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_07E85DA7 |
0_2_07E85DA7 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Code function: 0_2_07E851B5 |
0_2_07E851B5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00425152 |
4_2_00425152 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00435286 |
4_2_00435286 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_004513D4 |
4_2_004513D4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0045050B |
4_2_0045050B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00436510 |
4_2_00436510 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_004316FB |
4_2_004316FB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0043569E |
4_2_0043569E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00443700 |
4_2_00443700 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_004257FB |
4_2_004257FB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_004128E3 |
4_2_004128E3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00425964 |
4_2_00425964 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0041B917 |
4_2_0041B917 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0043D9CC |
4_2_0043D9CC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00435AD3 |
4_2_00435AD3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00424BC3 |
4_2_00424BC3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0043DBFB |
4_2_0043DBFB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0044ABA9 |
4_2_0044ABA9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00433C0B |
4_2_00433C0B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00434D8A |
4_2_00434D8A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0043DE2A |
4_2_0043DE2A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0041CEAF |
4_2_0041CEAF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00435F08 |
4_2_00435F08 |
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.WBQXywne4N.exe.4820f92.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.WBQXywne4N.exe.4820f92.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 00000000.00000002.1819649058.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 00000000.00000002.1819649058.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000002.1819649058.00000000045EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000002.1819649058.0000000004820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: WBQXywne4N.exe PID: 7508, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: AddInProcess32.exe PID: 7944, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WBQXywne4N.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
4_2_0041A01B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
4_2_0040B28E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
4_2_0040838E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
4_2_004087A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
4_2_00407848 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_004068CD FindFirstFileW,FindNextFileW, |
4_2_004068CD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0044BA59 FindFirstFileExA, |
4_2_0044BA59 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
4_2_0040AA71 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, |
4_2_00417AAB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 4_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
4_2_0040AC78 |