Windows Analysis Report
WBQXywne4N.exe

Overview

General Information

Sample name: WBQXywne4N.exe
renamed because original name is a hash value
Original sample name: 930fdedab0dcc5bbd3a1ab3e50a3675e4ba0823b601ca2b9602b92657b1de006.exe
Analysis ID: 1588846
MD5: 2ad6b435964c1607e848b2cbde8885ee
SHA1: 0800c4b079b6277aa86f434b78175da72366de3f
SHA256: 930fdedab0dcc5bbd3a1ab3e50a3675e4ba0823b601ca2b9602b92657b1de006
Tags: exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos, DarkTortilla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Remcos RAT
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

AV Detection

barindex
Source: cjmancool.dynamic-dns.net Avira URL Cloud: Label: malware
Source: 00000000.00000002.1819649058.0000000004820000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["cjmancool.dynamic-dns.net:3764:1"], "Assigned name": "bn", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-GAT2GZ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
Source: WBQXywne4N.exe Virustotal: Detection: 43% Perma Link
Source: WBQXywne4N.exe ReversingLabs: Detection: 79%
Source: Yara match File source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.45ecfb2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4820f92.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1819649058.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1819649058.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3760311984.000000000129A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1819649058.00000000045EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1819649058.0000000004820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WBQXywne4N.exe PID: 7508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 7944, type: MEMORYSTR
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: WBQXywne4N.exe Joe Sandbox ML: detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 4_2_004315EC
Source: WBQXywne4N.exe, 00000000.00000002.1819649058.00000000046C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_8f973378-c
Source: WBQXywne4N.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 4_2_0041A01B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 4_2_0040B28E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_0040838E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_004087A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 4_2_00407848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004068CD FindFirstFileW,FindNextFileW, 4_2_004068CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0044BA59 FindFirstFileExA, 4_2_0044BA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 4_2_0040AA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 4_2_00417AAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 4_2_0040AC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 4_2_00406D28
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_032FC7D0
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_032FC7C1

Networking

barindex
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49985 -> 94.78.99.194:3764
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49984 -> 94.78.99.194:3764
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49986 -> 94.78.99.194:3764
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49989 -> 94.78.99.194:3764
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49990 -> 94.78.99.194:3764
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49987 -> 94.78.99.194:3764
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49988 -> 94.78.99.194:3764
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49982 -> 94.78.99.194:3764
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49991 -> 94.78.99.194:3764
Source: Malware configuration extractor URLs: cjmancool.dynamic-dns.net
Source: global traffic TCP traffic: 192.168.2.11:49982 -> 94.78.99.194:3764
Source: Joe Sandbox View ASN Name: NETONLINETR NETONLINETR
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00424A66 recv, 4_2_00424A66
Source: global traffic DNS traffic detected: DNS query: cjmancool.dynamic-dns.net
Source: AddInProcess32.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: WBQXywne4N.exe, 00000000.00000002.1819649058.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, WBQXywne4N.exe, 00000000.00000002.1819649058.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, WBQXywne4N.exe, 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp, WBQXywne4N.exe, 00000000.00000002.1819649058.0000000004820000.00000004.00000800.00020000.00000000.sdmp, WBQXywne4N.exe, 00000000.00000002.1819649058.00000000045EC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000 4_2_00409340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard, 4_2_0040A65A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_00414EC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard, 4_2_0040A65A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, 4_2_00409468

E-Banking Fraud

barindex
Source: Yara match File source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.45ecfb2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4820f92.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1819649058.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1819649058.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3760311984.000000000129A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1819649058.00000000045EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1819649058.0000000004820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WBQXywne4N.exe PID: 7508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 7944, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0041A76C SystemParametersInfoW, 4_2_0041A76C

System Summary

barindex
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.WBQXywne4N.exe.4820f92.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.WBQXywne4N.exe.4820f92.3.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000000.00000002.1819649058.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000000.00000002.1819649058.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1819649058.00000000045EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1819649058.0000000004820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: WBQXywne4N.exe PID: 7508, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: AddInProcess32.exe PID: 7944, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BEC9B8 CreateProcessAsUserW, 0_2_08BEC9B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 4_2_00414DB4
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_03140BA8 0_2_03140BA8
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_03141AB8 0_2_03141AB8
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_03140890 0_2_03140890
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_032FC7D0 0_2_032FC7D0
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_032F7268 0_2_032F7268
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_032F5297 0_2_032F5297
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_032F5600 0_2_032F5600
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_032F7850 0_2_032F7850
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_032FC7C1 0_2_032FC7C1
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_032F4847 0_2_032F4847
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_05CCD0BC 0_2_05CCD0BC
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_06871C00 0_2_06871C00
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_06871BD0 0_2_06871BD0
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_06870007 0_2_06870007
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_06870040 0_2_06870040
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_06B247A8 0_2_06B247A8
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_06B2E6BF 0_2_06B2E6BF
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_06B2E6D0 0_2_06B2E6D0
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_06B24798 0_2_06B24798
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_07E851D8 0_2_07E851D8
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_07E80520 0_2_07E80520
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_07E8050F 0_2_07E8050F
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_087CF051 0_2_087CF051
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_087C0040 0_2_087C0040
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_087C47B8 0_2_087C47B8
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08853CB4 0_2_08853CB4
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_0885ECB0 0_2_0885ECB0
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_0885BDB8 0_2_0885BDB8
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_0885E2E8 0_2_0885E2E8
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08852615 0_2_08852615
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_0885CE53 0_2_0885CE53
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_0885DA70 0_2_0885DA70
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_0885FB60 0_2_0885FB60
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08852B70 0_2_08852B70
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_0885DA3D 0_2_0885DA3D
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08852B0D 0_2_08852B0D
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08852B60 0_2_08852B60
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE58B0 0_2_08BE58B0
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BEA9C8 0_2_08BEA9C8
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE2178 0_2_08BE2178
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE7AD0 0_2_08BE7AD0
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BECF38 0_2_08BECF38
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE7718 0_2_08BE7718
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE58A1 0_2_08BE58A1
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE68C8 0_2_08BE68C8
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE1478 0_2_08BE1478
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE2C78 0_2_08BE2C78
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE1468 0_2_08BE1468
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE0998 0_2_08BE0998
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE0988 0_2_08BE0988
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE2D28 0_2_08BE2D28
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE2168 0_2_08BE2168
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE1D58 0_2_08BE1D58
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE1D48 0_2_08BE1D48
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BEB238 0_2_08BEB238
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE0258 0_2_08BE0258
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE1FD0 0_2_08BE1FD0
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE97D0 0_2_08BE97D0
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE1FC0 0_2_08BE1FC0
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE1B20 0_2_08BE1B20
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE1B10 0_2_08BE1B10
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE7708 0_2_08BE7708
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_08BE1768 0_2_08BE1768
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_07E85DA7 0_2_07E85DA7
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_07E851B5 0_2_07E851B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00425152 4_2_00425152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00435286 4_2_00435286
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004513D4 4_2_004513D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0045050B 4_2_0045050B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00436510 4_2_00436510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004316FB 4_2_004316FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0043569E 4_2_0043569E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00443700 4_2_00443700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004257FB 4_2_004257FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004128E3 4_2_004128E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00425964 4_2_00425964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0041B917 4_2_0041B917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0043D9CC 4_2_0043D9CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00435AD3 4_2_00435AD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00424BC3 4_2_00424BC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0043DBFB 4_2_0043DBFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0044ABA9 4_2_0044ABA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00433C0B 4_2_00433C0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00434D8A 4_2_00434D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0043DE2A 4_2_0043DE2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0041CEAF 4_2_0041CEAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00435F08 4_2_00435F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 00402073 appears 51 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 00432B90 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 00432525 appears 41 times
Source: WBQXywne4N.exe, 00000000.00000002.1821922316.0000000006380000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBamokinepApp.dll< vs WBQXywne4N.exe
Source: WBQXywne4N.exe, 00000000.00000002.1800546571.00000000013F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs WBQXywne4N.exe
Source: WBQXywne4N.exe, 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBamokinepApp.dll< vs WBQXywne4N.exe
Source: WBQXywne4N.exe, 00000000.00000000.1294054034.000000000095A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePayment slip.exeL vs WBQXywne4N.exe
Source: WBQXywne4N.exe, 00000000.00000002.1824169924.0000000008830000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRP8SH.dll6 vs WBQXywne4N.exe
Source: WBQXywne4N.exe Binary or memory string: OriginalFilenamePayment slip.exeL vs WBQXywne4N.exe
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.WBQXywne4N.exe.4896650.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.WBQXywne4N.exe.4896650.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.WBQXywne4N.exe.4736212.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.WBQXywne4N.exe.4820f92.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.WBQXywne4N.exe.4736212.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.WBQXywne4N.exe.45ecfb2.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.WBQXywne4N.exe.4820f92.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.WBQXywne4N.exe.4820f92.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000000.00000002.1819649058.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.3759365928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000000.00000002.1819649058.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1819649058.00000000045EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1819649058.0000000004820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: WBQXywne4N.exe PID: 7508, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: AddInProcess32.exe PID: 7944, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: WBQXywne4N.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@3/1@7/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 4_2_00415C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle, 4_2_0040E2E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource, 4_2_00419493
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 4_2_00418A00
Source: C:\Users\user\Desktop\WBQXywne4N.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WBQXywne4N.exe.log Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-GAT2GZ
Source: WBQXywne4N.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WBQXywne4N.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\WBQXywne4N.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WBQXywne4N.exe Virustotal: Detection: 43%
Source: WBQXywne4N.exe ReversingLabs: Detection: 79%
Source: unknown Process created: C:\Users\user\Desktop\WBQXywne4N.exe "C:\Users\user\Desktop\WBQXywne4N.exe"
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: WBQXywne4N.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: WBQXywne4N.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: WBQXywne4N.exe Static file information: File size 1145856 > 1048576
Source: WBQXywne4N.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x117200
Source: WBQXywne4N.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: Yara match File source: 0.2.WBQXywne4N.exe.44f6d70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.6380000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.6380000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4541960.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.4541960.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WBQXywne4N.exe.44f6d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1821922316.0000000006380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1802272980.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WBQXywne4N.exe PID: 7508, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 4_2_0041A8DA
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_087CAA65 push ebp; iretd 0_2_087CAA66
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_088576E3 push ebx; retf 0_2_088576E4
Source: C:\Users\user\Desktop\WBQXywne4N.exe Code function: 0_2_0885DA38 push cs; iretd 0_2_0885DA39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004000D8 push es; iretd 4_2_004000D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040008C push es; iretd 4_2_0040008D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004542E6 push ecx; ret 4_2_004542F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0045B4FD push esi; ret 4_2_0045B506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00432BD6 push ecx; ret 4_2_00432BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00454C08 push eax; ret 4_2_00454C26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004063C6 ShellExecuteW,URLDownloadToFileW, 4_2_004063C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 4_2_00418A00

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\Desktop\WBQXywne4N.exe File opened: C:\Users\user\Desktop\WBQXywne4N.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 4_2_0041A8DA
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: WBQXywne4N.exe PID: 7508, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040E18D Sleep,ExitProcess, 4_2_0040E18D
Source: C:\Users\user\Desktop\WBQXywne4N.exe Section loaded: OutputDebugStringW count: 117
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: 3100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: 33E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: 3100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: 8D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: 9D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: 9F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: AF10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: B2E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: C2E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: D2E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 4_2_004186FE
Source: C:\Users\user\Desktop\WBQXywne4N.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Window / User API: threadDelayed 7003 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Window / User API: threadDelayed 1457 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 4556 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 5436 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe API coverage: 7.9 %
Source: C:\Users\user\Desktop\WBQXywne4N.exe TID: 7588 Thread sleep time: -88000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe TID: 7792 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe TID: 7940 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe TID: 7536 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8152 Thread sleep count: 4556 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8152 Thread sleep time: -13668000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8152 Thread sleep count: 5436 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8152 Thread sleep time: -16308000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 4_2_0041A01B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 4_2_0040B28E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_0040838E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_004087A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 4_2_00407848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004068CD FindFirstFileW,FindNextFileW, 4_2_004068CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0044BA59 FindFirstFileExA, 4_2_0044BA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 4_2_0040AA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 4_2_00417AAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 4_2_0040AC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 4_2_00406D28
Source: C:\Users\user\Desktop\WBQXywne4N.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: WBQXywne4N.exe, 00000000.00000002.1821922316.0000000006380000.00000004.08000000.00040000.00000000.sdmp, WBQXywne4N.exe, 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxTray
Source: AddInProcess32.exe, 00000004.00000002.3760311984.000000000129A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WBQXywne4N.exe, 00000000.00000002.1819649058.0000000004461000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 1159399738GSOFTWARE\VMware, Inc.\VMware VGAuth
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_004327AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 4_2_0041A8DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004407B5 mov eax, dword ptr fs:[00000030h] 4_2_004407B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError, 4_2_00410763
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_004327AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004328FC SetUnhandledExceptionFilter, 4_2_004328FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_004398AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00432D5C
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 456000 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 46E000 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 474000 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 475000 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 476000 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47B000 Jump to behavior
Source: C:\Users\user\Desktop\WBQXywne4N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: F40008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 4_2_00410B5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004175E1 mouse_event, 4_2_004175E1
Source: C:\Users\user\Desktop\WBQXywne4N.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_004329DA cpuid 4_2_004329DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: EnumSystemLocalesW, 4_2_0044F17B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: EnumSystemLocalesW, 4_2_0044F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: EnumSystemLocalesW, 4_2_0044F216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_0044F2A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: GetLocaleInfoA, 4_2_0040E2BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: GetLocaleInfoW, 4_2_0044F4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_0044F61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: GetLocaleInfoW, 4_2_0044F723
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_0044F7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: EnumSystemLocalesW, 4_2_00445914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: GetLocaleInfoW, 4_2_00445E1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_0044EEB8