Edit tour

Windows Analysis Report
Bukti_Transfer...pdf.exe

Overview

General Information

Sample name:	Bukti_Transfer...pdf.exe
Analysis ID:	1616515
MD5:	8b0f66978d1934eec07b6213c2c8037a
SHA1:	a33a467ae0d0ceaefcefaf7a5b6f7670ec1c3062
SHA256:	9c39d381f96fb45ffcb826c90aaee8c6818767eabf44e757fa5518217611d7c7
Tags:	exeuser-Bastian455_
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Bukti_Transfer...pdf.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe" MD5: 8B0F66978D1934EEC07B6213C2C8037A)

powershell.exe (PID: 4916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1928 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1448 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bukti_Transfer...pdf.exe (PID: 2916 cmdline: "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe" MD5: 8B0F66978D1934EEC07B6213C2C8037A)

DpEFdRPYuiXBgv.exe (PID: 6884 cmdline: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe MD5: 8B0F66978D1934EEC07B6213C2C8037A)

schtasks.exe (PID: 7200 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp2670.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DpEFdRPYuiXBgv.exe (PID: 7252 cmdline: "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe" MD5: 8B0F66978D1934EEC07B6213C2C8037A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["austin99.duckdns.org:9373:1", "103.186.117.61:9373:1", "heksaa3030.redirectme.net:9373:1"], "Assigned name": "FEB 16", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-YHG6AC", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.4194398776.000000000281F000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.4193882290.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.4193882290.0000000000D05000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1769826597.0000000003BAB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1769826597.0000000003BAB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x13288:$a1: Remcos restarted by watchdog! 0x137e0:$a3: %02i:%02i:%02i:%03i 0x13b65:$a4: * Remcos v
0000000B.00000002.1770743205.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.4193882290.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.1793107257.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.1793107257.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x13b90:$a1: Remcos restarted by watchdog! 0x140e8:$a3: %02i:%02i:%02i:%03i 0x1446d:$a4: * Remcos v
0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
00000007.00000002.1793107257.0000000004352000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.1793107257.0000000004352000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x68178:$a1: Remcos restarted by watchdog! 0x686d0:$a3: %02i:%02i:%02i:%03i 0x68a55:$a4: * Remcos v
00000000.00000002.1769826597.0000000004873000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1769826597.0000000004873000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x68530:$a1: Remcos restarted by watchdog! 0xddb50:$a1: Remcos restarted by watchdog! 0x68a88:$a3: %02i:%02i:%02i:%03i 0xde0a8:$a3: %02i:%02i:%02i:%03i 0x68e0d:$a4: * Remcos v 0xde42d:$a4: * Remcos v
00000007.00000002.1793107257.00000000040D8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.1793107257.00000000040D8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x68578:$a1: Remcos restarted by watchdog! 0x68ad0:$a3: %02i:%02i:%02i:%03i 0x68e55:$a4: * Remcos v
Process Memory Space: Bukti_Transfer...pdf.exe PID: 7092	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Bukti_Transfer...pdf.exe PID: 7092	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Bukti_Transfer...pdf.exe PID: 7092	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x754b0:$a1: Remcos restarted by watchdog! 0xef7fd:$a1: Remcos restarted by watchdog! 0x759e7:$a3: %02i:%02i:%02i:%03i 0x75fa0:$a3: %02i:%02i:%02i:%03i 0xefd34:$a3: %02i:%02i:%02i:%03i 0xf02ed:$a3: %02i:%02i:%02i:%03i 0x75c09:$a4: * Remcos v 0xeff56:$a4: * Remcos v
Process Memory Space: Bukti_Transfer...pdf.exe PID: 2916	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: DpEFdRPYuiXBgv.exe PID: 6884	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: DpEFdRPYuiXBgv.exe PID: 6884	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DpEFdRPYuiXBgv.exe PID: 6884	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x50770:$a1: Remcos restarted by watchdog! 0x67e8d:$a1: Remcos restarted by watchdog! 0x80dc9:$a1: Remcos restarted by watchdog! 0x50ca7:$a3: %02i:%02i:%02i:%03i 0x51260:$a3: %02i:%02i:%02i:%03i 0x683c4:$a3: %02i:%02i:%02i:%03i 0x6897d:$a3: %02i:%02i:%02i:%03i 0x81300:$a3: %02i:%02i:%02i:%03i 0x818b9:$a3: %02i:%02i:%02i:%03i 0x50ec9:$a4: * Remcos v 0x685e6:$a4: * Remcos v 0x81522:$a4: * Remcos v
Process Memory Space: DpEFdRPYuiXBgv.exe PID: 7252	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: DpEFdRPYuiXBgv.exe PID: 7252	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xbb79:$a1: Remcos restarted by watchdog! 0xc0b0:$a3: %02i:%02i:%02i:%03i 0xc669:$a3: %02i:%02i:%02i:%03i 0xc2d2:$a4: * Remcos v
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0xdd000:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0xdd558:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v 0xdd8dd:$a4: * Remcos v
0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0xd6f20:$s1: \Classes\mscfile\shell\open\command 0xd6f80:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe 0xd6f68:$s2: eventvwr.exe
Click to see the 32 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe", CommandLine: "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe, NewProcessName: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe, OriginalFileName: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe", ProcessId: 7092, ProcessName: Bukti_Transfer...pdf.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe", ParentImage: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe, ParentProcessId: 7092, ParentProcessName: Bukti_Transfer...pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe", ProcessId: 4916, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp2670.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp2670.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe, ParentImage: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe, ParentProcessId: 6884, ParentProcessName: DpEFdRPYuiXBgv.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp2670.tmp", ProcessId: 7200, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe", ParentImage: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe, ParentProcessId: 7092, ParentProcessName: Bukti_Transfer...pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp", ProcessId: 1448, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe", ParentImage: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe, ParentProcessId: 7092, ParentProcessName: Bukti_Transfer...pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe", ProcessId: 4916, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe", ParentImage: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe, ParentProcessId: 7092, ParentProcessName: Bukti_Transfer...pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp", ProcessId: 1448, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe, ProcessId: 2916, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-16T23:57:33.884954+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49734	185.213.83.33	9373	TCP
2025-02-16T23:57:34.860779+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	64599	103.186.117.61	9373	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-16T23:57:36.772081+0100	2803304	3	Unknown Traffic	192.168.2.4	64600	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Bukti_Transfer...pdf.exe

Avira: detected

Antivirus detection for URL or domain

Source: austin99.duckdns.org	Avira URL Cloud: Label: malware
Source: heksaa3030.redirectme.net	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Avira: detection malicious, Label: HEUR/AGEN.1323831

Found malware configuration

Source: 00000007.00000002.1793107257.0000000004352000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["austin99.duckdns.org:9373:1", "103.186.117.61:9373:1", "heksaa3030.redirectme.net:9373:1"], "Assigned name": "FEB 16", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-YHG6AC", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

ReversingLabs: Detection: 59%

Multi AV Scanner detection for submitted file

Source: Bukti_Transfer...pdf.exe	ReversingLabs: Detection: 59%
Source: Bukti_Transfer...pdf.exe	Virustotal: Detection: 59%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4194398776.000000000281F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769826597.0000000003BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1770743205.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.0000000004352000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769826597.0000000004873000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.00000000040D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

11_2_004315EC

Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1769826597.0000000003BAB000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_7c2c409c-c

Source: Bukti_Transfer...pdf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Bukti_Transfer...pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0041A01B
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0040B28E
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_0040838E
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_004087A0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_00407848
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004068CD FindFirstFileW,FindNextFileW,	11_2_004068CD
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040AA71
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00417AAB
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040AC78

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00406D28

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 4x nop then jmp 028CBC28h		0_2_028CBF64
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 4x nop then jmp 0723AE80h		7_2_0723B1BC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:64599 -> 103.186.117.61:9373
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49734 -> 185.213.83.33:9373

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: austin99.duckdns.org
Source: Malware configuration extractor	URLs: heksaa3030.redirectme.net
Source: Malware configuration extractor	IPs: 103.186.117.61

Uses dynamic DNS services

Source: unknown

DNS query: name: austin99.duckdns.org

Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 185.213.83.33:9373
Source: global traffic	TCP traffic: 192.168.2.4:64599 -> 103.186.117.61:9373

Source: global traffic

TCP traffic: 192.168.2.4:64598 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View	ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Source: Joe Sandbox View	ASN Name: QUICKPACKETUS QUICKPACKETUS

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:64600 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.117.61
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

11_2_0041936B

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: austin99.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, DpEFdRPYuiXBgv.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1769826597.0000000003BAB000.00000004.00000800.00020000.00000000.sdmp, Bukti_Transfer...pdf.exe, 00000000.00000002.1769826597.0000000004873000.00000004.00000800.00020000.00000000.sdmp, DpEFdRPYuiXBgv.exe, 00000007.00000002.1793107257.0000000004352000.00000004.00000800.00020000.00000000.sdmp, DpEFdRPYuiXBgv.exe, 00000007.00000002.1793107257.00000000040D8000.00000004.00000800.00020000.00000000.sdmp, DpEFdRPYuiXBgv.exe, 00000007.00000002.1793107257.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, DpEFdRPYuiXBgv.exe, 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000D05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpv
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1766457345.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1766457345.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micx2
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1769038692.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DpEFdRPYuiXBgv.exe, 00000007.00000002.1791097703.0000000002800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name(
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1773784635.0000000007002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000

11_2_00409340

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040A65A

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

11_2_00414EC1

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040A65A

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

11_2_00409468

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4194398776.000000000281F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769826597.0000000003BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1770743205.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.0000000004352000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769826597.0000000004873000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.00000000040D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_0041A76C SystemParametersInfoW,

11_2_0041A76C

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000000.00000002.1769826597.0000000003BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.1793107257.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000007.00000002.1793107257.0000000004352000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1769826597.0000000004873000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.1793107257.00000000040D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 7092, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 6884, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 7252, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Bukti_Transfer...pdf.exe

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

11_2_00414DB4

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_028C93D8	0_2_028C93D8
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_028C93C9	0_2_028C93C9
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_028C6060	0_2_028C6060
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_028C57D7	0_2_028C57D7
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_028C57F0	0_2_028C57F0
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_028C7708	0_2_028C7708
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_028C7FE0	0_2_028C7FE0
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_028C5C18	0_2_028C5C18
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_028C5C28	0_2_028C5C28
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1685B	0_2_08F1685B
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F10040	0_2_08F10040
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F16048	0_2_08F16048
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1D1F0	0_2_08F1D1F0
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F18178	0_2_08F18178
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F17258	0_2_08F17258
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1EB68	0_2_08F1EB68
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F18078	0_2_08F18078
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1F038	0_2_08F1F038
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1F028	0_2_08F1F028
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F10006	0_2_08F10006
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1D1E0	0_2_08F1D1E0
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1A9B0	0_2_08F1A9B0
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F19180	0_2_08F19180
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F19170	0_2_08F19170
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1D930	0_2_08F1D930
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1D923	0_2_08F1D923
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1A3F0	0_2_08F1A3F0
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1A3E1	0_2_08F1A3E1
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1EB58	0_2_08F1EB58
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1D488	0_2_08F1D488
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1E488	0_2_08F1E488
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1D479	0_2_08F1D479
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1E479	0_2_08F1E479
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1A560	0_2_08F1A560
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1A550	0_2_08F1A550
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F15558	0_2_08F15558
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1D6D8	0_2_08F1D6D8
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1D6C8	0_2_08F1D6C8
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1DE01	0_2_08F1DE01
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1A7F0	0_2_08F1A7F0
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1A7E0	0_2_08F1A7E0
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F19FC0	0_2_08F19FC0
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F15FB0	0_2_08F15FB0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_0599A99B	7_2_0599A99B
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_0599A9A0	7_2_0599A9A0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_07239418	7_2_07239418
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_07237708	7_2_07237708
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_072357F0	7_2_072357F0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_072357D9	7_2_072357D9
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_07239408	7_2_07239408
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_07236060	7_2_07236060
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_07237FE0	7_2_07237FE0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_07235C28	7_2_07235C28
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_07235C18	7_2_07235C18
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E685A	7_2_087E685A
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E0040	7_2_087E0040
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E8178	7_2_087E8178
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087ED1F0	7_2_087ED1F0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E7258	7_2_087E7258
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E8078	7_2_087E8078
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EF038	7_2_087EF038
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EF028	7_2_087EF028
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E0023	7_2_087E0023
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E0012	7_2_087E0012
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E9170	7_2_087E9170
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EA970	7_2_087EA970
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087ED930	7_2_087ED930
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087ED922	7_2_087ED922
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087ED1E0	7_2_087ED1E0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E9180	7_2_087E9180
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EEB68	7_2_087EEB68
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EEB58	7_2_087EEB58
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EA3F0	7_2_087EA3F0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EA3E1	7_2_087EA3E1
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EE3D0	7_2_087EE3D0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087ED479	7_2_087ED479
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EE479	7_2_087EE479
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087ED488	7_2_087ED488
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EE488	7_2_087EE488
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EA560	7_2_087EA560
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E5558	7_2_087E5558
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EA550	7_2_087EA550
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EDE01	7_2_087EDE01
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087ED6D8	7_2_087ED6D8
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087ED6C8	7_2_087ED6C8
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EA7F0	7_2_087EA7F0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087EA7E0	7_2_087EA7E0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E9FC0	7_2_087E9FC0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E5FB0	7_2_087E5FB0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00425152	11_2_00425152
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00435286	11_2_00435286
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004513D4	11_2_004513D4
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0045050B	11_2_0045050B
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00436510	11_2_00436510
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004316FB	11_2_004316FB
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0043569E	11_2_0043569E
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00443700	11_2_00443700
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004257FB	11_2_004257FB
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004128E3	11_2_004128E3
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00425964	11_2_00425964
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0041B917	11_2_0041B917
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0043D9CC	11_2_0043D9CC
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00435AD3	11_2_00435AD3
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00424BC3	11_2_00424BC3
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0043DBFB	11_2_0043DBFB
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0044ABA9	11_2_0044ABA9
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00433C0B	11_2_00433C0B
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00434D8A	11_2_00434D8A
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0043DE2A	11_2_0043DE2A
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0041CEAF	11_2_0041CEAF
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00435F08	11_2_00435F08

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: String function: 00432B90 appears 53 times
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: String function: 00432525 appears 41 times

Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1766457345.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bukti_Transfer...pdf.exe
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1774771410.00000000078C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bukti_Transfer...pdf.exe
Source: Bukti_Transfer...pdf.exe, 00000000.00000002.1769826597.0000000004609000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bukti_Transfer...pdf.exe
Source: Bukti_Transfer...pdf.exe, 00000000.00000000.1716820682.0000000000612000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePEZy.exe, vs Bukti_Transfer...pdf.exe
Source: Bukti_Transfer...pdf.exe	Binary or memory string: OriginalFilenamePEZy.exe, vs Bukti_Transfer...pdf.exe

Source: Bukti_Transfer...pdf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000000.00000002.1769826597.0000000003BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000007.00000002.1793107257.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000007.00000002.1793107257.0000000004352000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1769826597.0000000004873000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000007.00000002.1793107257.00000000040D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 7092, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 6884, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 7252, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: Bukti_Transfer...pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DpEFdRPYuiXBgv.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, Twvgxw4lgXTPcYW2Tb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, Twvgxw4lgXTPcYW2Tb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, Twvgxw4lgXTPcYW2Tb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, Twvgxw4lgXTPcYW2Tb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, Twvgxw4lgXTPcYW2Tb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, Twvgxw4lgXTPcYW2Tb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@16/13@2/3

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

11_2_00415C90

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

11_2_0040E2E7

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,

11_2_00419493

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_00418A00

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

File created: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-YHG6AC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_03
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Mutant created: \Sessions\1\BaseNamedObjects\nwiojSsAhUZWdgjOnPrRyGbdeoC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1D58.tmp

Jump to behavior

Source: Bukti_Transfer...pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Bukti_Transfer...pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bukti_Transfer...pdf.exe	ReversingLabs: Detection: 59%
Source: Bukti_Transfer...pdf.exe	Virustotal: Detection: 59%

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

File read: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe"
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp2670.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process created: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe"
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp2670.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process created: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Bukti_Transfer...pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Bukti_Transfer...pdf.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Bukti_Transfer...pdf.exe

Static file information: File size 1398272 > 1048576

Source: Bukti_Transfer...pdf.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14b200

Source: Bukti_Transfer...pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	.Net Code: l1xlwE1WZN System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	.Net Code: l1xlwE1WZN System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	.Net Code: l1xlwE1WZN System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

11_2_0041A8DA

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_028CEC75 push FFFFFF8Bh; iretd	0_2_028CEC77
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F17C10 push cs; ret	0_2_08F17C11
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 0_2_08F1CF78 pushad ; retf	0_2_08F1CF79
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Code function: 6_2_02B0F8C8 push eax; retf	6_2_02B0F8CA
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_059966F0 push esp; retf	7_2_059966F1
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_0723DEBC push dword ptr [edx+ebp*2-75h]; iretd	7_2_0723DEC7
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E7C10 push cs; ret	7_2_087E7C11
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 7_2_087E26C1 pushfd ; iretd	7_2_087E26CD
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004000D8 push es; iretd	11_2_004000D9
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0040008C push es; iretd	11_2_0040008D
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004542E6 push ecx; ret	11_2_004542F9
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0045B4FD push esi; ret	11_2_0045B506
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00432BD6 push ecx; ret	11_2_00432BE9
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00454C08 push eax; ret	11_2_00454C26

Source: Bukti_Transfer...pdf.exe	Static PE information: section name: .text entropy: 7.820209015446784
Source: DpEFdRPYuiXBgv.exe.0.dr	Static PE information: section name: .text entropy: 7.820209015446784

Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, IaSsLW8eHVaf8frNXP.cs	High entropy of concatenated method names: 'BQJBDoTv5T', 'NvYBI7lph5', 'IT9BBgX8nx', 'M0yBT4VWyR', 'QaUBhgOK0U', 'wERBLNUewC', 'Dispose', 'GrQjQPjSJg', 'mGkjqbaD3E', 'UW0jmlVOkP'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, miGWcExx9v9K4L1Bjyb.cs	High entropy of concatenated method names: 'Qda2p91YjG', 'LiR2zxFTby', 'lXOTtNSKpC', 'sVgTx6fONN', 'JULTcgicPb', 'SGhTHwa4NK', 'sHoTlbvuXs', 'YPqTPmdXxa', 'tUuTQ32sLD', 'AYgTqiGeh9'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, AwDGCNzBynZ6Ehidob.cs	High entropy of concatenated method names: 'YO82rnkeFt', 'YFr24JU7aW', 'zDd2A5VMO3', 'z0H26OWNPD', 'gTY2XbVsGw', 'fnP2Ja1MDB', 'DYt213FpGg', 'O1X2LWgpd2', 'YcG2fabOeG', 'nu92okRUx2'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, CbxohvlAB82Biw87Y8.cs	High entropy of concatenated method names: 'zSMxFwvgxw', 'dgXxZTPcYW', 'APDxCUC4fs', 'TOOxV6xymO', 'dTBxDujkpi', 'JQRxGmlHIM', 'thmrTGq8tfqs2mB0ab', 'SjvGpJWiT0bjsoUvSZ', 'vt8xxSHFLK', 'EclxHlceDQ'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	High entropy of concatenated method names: 'LTuHP8taRE', 'Jr0HQhyv9t', 'RW0Hqiajyf', 'i7JHmDZ4MR', 'nSNHY29OCK', 'o3JHUByZn8', 'e5uHFRwFFs', 'wEqHZIclfa', 'Ns5H5K5jVA', 'of1HCeytXs'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, TZUF1XKt7kKv7V88au.cs	High entropy of concatenated method names: 'GDZFQvtXT8', 'NI0Fmwtmf2', 'qcfFU96Qa6', 'mdSUphcFyJ', 'QPDUzTwxy1', 'CiDFtWg17L', 'd5FFxogmk3', 'RivFc8JFtg', 'RiWFHdF9nW', 'nDeFljhivr'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, Opi1QR6mlHIM353G6s.cs	High entropy of concatenated method names: 'KrTUPL4236', 'fTAUqbO57T', 'XZqUYOdJVh', 'dCaUFyObEa', 'oUDUZIV9lQ', 'qsoYdqcGwN', 'QhYY0F4lnX', 'bElY84kvur', 'YVYYEtIiDo', 'nIBYOSfNsN'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, nnbrLvnLOKs5lGOW5V.cs	High entropy of concatenated method names: 'ER0W4qcDAS', 'go6WA3p2cY', 'RuKW6SsdeH', 'caaWXXv8D3', 'xffWJ6mK7P', 'HGxW1K8FJr', 'qFDWKLrT9u', 'DsyWbLqAZC', 'CcBWSGHFZN', 'dQ0Wk8kLC8'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, fpan69qLP81e0QSORl.cs	High entropy of concatenated method names: 'Dispose', 'mafxO8frNX', 'ILMcX6rT4s', 'LpPxccCkpN', 'eB1xpoeMVv', 'TGqxzbFPC8', 'ProcessDialogKey', 'iD4ctWMW8p', 'rkqcxSthMP', 'pi7ccqplKo'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, frh2muxtZwB0d6a1d5T.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Sl52kWIsTg', 'RX429agI4H', 'T7y2nkUIAg', 'Ro42NrOTt9', 'qST2yPOGlW', 'Dwr2iwrfXp', 'ThF2MHba9q'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, MsFfsfmPSWKMrhUb2v.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'VJvcOYItMG', 'fGjcpVXZw7', 'baFcz8tQ0f', 'BBLHtmDNsY', 'VYrHxJb6Ng', 'kU2HcEsXF8', 'DRXHH2s5SA', 'KYF2EVzcDQXFiDV2vH'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, XXjEqJg8MeSPvPXXL2.cs	High entropy of concatenated method names: 't9MFfWSLYT', 'egfFoRUc8N', 'vUVFwfyFSQ', 'Gr6FR2Y3Ca', 'gtbFv4OXsj', 'hVMFrmwIFv', 'GHyFe0qXPn', 'UTnF46xC13', 'mCHFAJ3s0w', 'SL1Fst8NuO'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, YMn9AKxHwMoIRxFyicj.cs	High entropy of concatenated method names: 'CXsTp6qvGA', 'K5LTzPnqfS', 'NtM3tlTOnS', 'LSevsnRmO2pxwa9wY2f', 'P1wq0qRX2vP6iqbN17F', 'v6kftDRHrfpqUypXd6n', 'lLSplhRqNJdTjrmNSPd', 'xUBLayRWoZ7G84mHyYL'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, pMa1C7N18slACZc2wG.cs	High entropy of concatenated method names: 'vxVDStXcJH', 'HHJD9RWAXO', 'P3lDNkWDfd', 'KqJDy4Z2oq', 'JuDDXZjx3R', 'mhxDu4S2sb', 'ALCDJ4oSS6', 'dKgD1SGVHB', 'bC4DauDgsE', 'pZYDKrFp0r'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, Twvgxw4lgXTPcYW2Tb.cs	High entropy of concatenated method names: 'X5bqNZadxv', 'fyEqygagu5', 'o3RqiC8r7I', 'crWqMqWsib', 'edCqdDtShe', 'Bg5q0Ogc9H', 'Oqtq8iMZ9D', 'cKFqElZXpY', 'l5sqOcI8eQ', 'Culqph7aYE'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, IOAVawxlKm0LBHPjgbc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VZP3BC2gWZ', 'aMx322jdAN', 'k7R3TSYG8a', 'Sqw332wirJ', 'NrC3h0lmWp', 'GgK37ELchf', 'HC63LIT0PM'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, DWMW8pOBkqSthMPGi7.cs	High entropy of concatenated method names: 'OBSB6NC0hf', 'qaJBX8SqdQ', 'fA8Bu41IpX', 'rRKBJOnkky', 'he7B1B5xm7', 'HBPBaRN7e4', 'RkhBKwUhy2', 'b7lBbjsZAd', 'miFBgfUebQ', 'tvUBSmi4c7'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, Q5Xx6ocReFAJ6LIDeR.cs	High entropy of concatenated method names: 'dwvwSRZ9y', 'yPdRgxj1K', 'tyqrOkBgw', 'q06eEbo3v', 'msfALvw0c', 'HQ1sAytlC', 'sXqCFY5xrvVpk3h8Mt', 'cRQUnDwUy09xFEoKX7', 'DBFFxccEOXoNReaIOD', 'cwXj06aO7'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, aVYc9U0dKqwV3XvNCZ.cs	High entropy of concatenated method names: 'oDyIEHVuPt', 'qJ7Ipm09tM', 'YC0jthGmLQ', 'w2bjxYAddl', 'bUJIkpFa5q', 'gX4I9FUH4w', 'GTuIn0buMc', 'RdrINqhww4', 'gloIy0Yrg3', 'IHOIi6nmSP'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, fplKo2pu6SkeJ6Yr4A.cs	High entropy of concatenated method names: 'oQu2mAulfL', 'Foi2Y5kQNU', 'vCK2USpZjt', 'WIm2FUlYMv', 'Sss2BjtU8Y', 'QuR2ZIfiPe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bukti_Transfer...pdf.exe.46c2868.0.raw.unpack, oC0CavAPDUC4fsMOO6.cs	High entropy of concatenated method names: 'pskmRFCh94', 'gR1mrmFGtc', 'biWm4lNHTq', 'nkZmA4SP9s', 'aPomDgtMKx', 'C4pmG2qh93', 'xqfmId758B', 'vFQmjQ76hI', 'AKPmBnUlQN', 's3Jm2bDHcS'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, IaSsLW8eHVaf8frNXP.cs	High entropy of concatenated method names: 'BQJBDoTv5T', 'NvYBI7lph5', 'IT9BBgX8nx', 'M0yBT4VWyR', 'QaUBhgOK0U', 'wERBLNUewC', 'Dispose', 'GrQjQPjSJg', 'mGkjqbaD3E', 'UW0jmlVOkP'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, miGWcExx9v9K4L1Bjyb.cs	High entropy of concatenated method names: 'Qda2p91YjG', 'LiR2zxFTby', 'lXOTtNSKpC', 'sVgTx6fONN', 'JULTcgicPb', 'SGhTHwa4NK', 'sHoTlbvuXs', 'YPqTPmdXxa', 'tUuTQ32sLD', 'AYgTqiGeh9'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, AwDGCNzBynZ6Ehidob.cs	High entropy of concatenated method names: 'YO82rnkeFt', 'YFr24JU7aW', 'zDd2A5VMO3', 'z0H26OWNPD', 'gTY2XbVsGw', 'fnP2Ja1MDB', 'DYt213FpGg', 'O1X2LWgpd2', 'YcG2fabOeG', 'nu92okRUx2'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, CbxohvlAB82Biw87Y8.cs	High entropy of concatenated method names: 'zSMxFwvgxw', 'dgXxZTPcYW', 'APDxCUC4fs', 'TOOxV6xymO', 'dTBxDujkpi', 'JQRxGmlHIM', 'thmrTGq8tfqs2mB0ab', 'SjvGpJWiT0bjsoUvSZ', 'vt8xxSHFLK', 'EclxHlceDQ'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	High entropy of concatenated method names: 'LTuHP8taRE', 'Jr0HQhyv9t', 'RW0Hqiajyf', 'i7JHmDZ4MR', 'nSNHY29OCK', 'o3JHUByZn8', 'e5uHFRwFFs', 'wEqHZIclfa', 'Ns5H5K5jVA', 'of1HCeytXs'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, TZUF1XKt7kKv7V88au.cs	High entropy of concatenated method names: 'GDZFQvtXT8', 'NI0Fmwtmf2', 'qcfFU96Qa6', 'mdSUphcFyJ', 'QPDUzTwxy1', 'CiDFtWg17L', 'd5FFxogmk3', 'RivFc8JFtg', 'RiWFHdF9nW', 'nDeFljhivr'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, Opi1QR6mlHIM353G6s.cs	High entropy of concatenated method names: 'KrTUPL4236', 'fTAUqbO57T', 'XZqUYOdJVh', 'dCaUFyObEa', 'oUDUZIV9lQ', 'qsoYdqcGwN', 'QhYY0F4lnX', 'bElY84kvur', 'YVYYEtIiDo', 'nIBYOSfNsN'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, nnbrLvnLOKs5lGOW5V.cs	High entropy of concatenated method names: 'ER0W4qcDAS', 'go6WA3p2cY', 'RuKW6SsdeH', 'caaWXXv8D3', 'xffWJ6mK7P', 'HGxW1K8FJr', 'qFDWKLrT9u', 'DsyWbLqAZC', 'CcBWSGHFZN', 'dQ0Wk8kLC8'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, fpan69qLP81e0QSORl.cs	High entropy of concatenated method names: 'Dispose', 'mafxO8frNX', 'ILMcX6rT4s', 'LpPxccCkpN', 'eB1xpoeMVv', 'TGqxzbFPC8', 'ProcessDialogKey', 'iD4ctWMW8p', 'rkqcxSthMP', 'pi7ccqplKo'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, frh2muxtZwB0d6a1d5T.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Sl52kWIsTg', 'RX429agI4H', 'T7y2nkUIAg', 'Ro42NrOTt9', 'qST2yPOGlW', 'Dwr2iwrfXp', 'ThF2MHba9q'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, MsFfsfmPSWKMrhUb2v.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'VJvcOYItMG', 'fGjcpVXZw7', 'baFcz8tQ0f', 'BBLHtmDNsY', 'VYrHxJb6Ng', 'kU2HcEsXF8', 'DRXHH2s5SA', 'KYF2EVzcDQXFiDV2vH'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, XXjEqJg8MeSPvPXXL2.cs	High entropy of concatenated method names: 't9MFfWSLYT', 'egfFoRUc8N', 'vUVFwfyFSQ', 'Gr6FR2Y3Ca', 'gtbFv4OXsj', 'hVMFrmwIFv', 'GHyFe0qXPn', 'UTnF46xC13', 'mCHFAJ3s0w', 'SL1Fst8NuO'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, YMn9AKxHwMoIRxFyicj.cs	High entropy of concatenated method names: 'CXsTp6qvGA', 'K5LTzPnqfS', 'NtM3tlTOnS', 'LSevsnRmO2pxwa9wY2f', 'P1wq0qRX2vP6iqbN17F', 'v6kftDRHrfpqUypXd6n', 'lLSplhRqNJdTjrmNSPd', 'xUBLayRWoZ7G84mHyYL'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, pMa1C7N18slACZc2wG.cs	High entropy of concatenated method names: 'vxVDStXcJH', 'HHJD9RWAXO', 'P3lDNkWDfd', 'KqJDy4Z2oq', 'JuDDXZjx3R', 'mhxDu4S2sb', 'ALCDJ4oSS6', 'dKgD1SGVHB', 'bC4DauDgsE', 'pZYDKrFp0r'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, Twvgxw4lgXTPcYW2Tb.cs	High entropy of concatenated method names: 'X5bqNZadxv', 'fyEqygagu5', 'o3RqiC8r7I', 'crWqMqWsib', 'edCqdDtShe', 'Bg5q0Ogc9H', 'Oqtq8iMZ9D', 'cKFqElZXpY', 'l5sqOcI8eQ', 'Culqph7aYE'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, IOAVawxlKm0LBHPjgbc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VZP3BC2gWZ', 'aMx322jdAN', 'k7R3TSYG8a', 'Sqw332wirJ', 'NrC3h0lmWp', 'GgK37ELchf', 'HC63LIT0PM'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, DWMW8pOBkqSthMPGi7.cs	High entropy of concatenated method names: 'OBSB6NC0hf', 'qaJBX8SqdQ', 'fA8Bu41IpX', 'rRKBJOnkky', 'he7B1B5xm7', 'HBPBaRN7e4', 'RkhBKwUhy2', 'b7lBbjsZAd', 'miFBgfUebQ', 'tvUBSmi4c7'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, Q5Xx6ocReFAJ6LIDeR.cs	High entropy of concatenated method names: 'dwvwSRZ9y', 'yPdRgxj1K', 'tyqrOkBgw', 'q06eEbo3v', 'msfALvw0c', 'HQ1sAytlC', 'sXqCFY5xrvVpk3h8Mt', 'cRQUnDwUy09xFEoKX7', 'DBFFxccEOXoNReaIOD', 'cwXj06aO7'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, aVYc9U0dKqwV3XvNCZ.cs	High entropy of concatenated method names: 'oDyIEHVuPt', 'qJ7Ipm09tM', 'YC0jthGmLQ', 'w2bjxYAddl', 'bUJIkpFa5q', 'gX4I9FUH4w', 'GTuIn0buMc', 'RdrINqhww4', 'gloIy0Yrg3', 'IHOIi6nmSP'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, fplKo2pu6SkeJ6Yr4A.cs	High entropy of concatenated method names: 'oQu2mAulfL', 'Foi2Y5kQNU', 'vCK2USpZjt', 'WIm2FUlYMv', 'Sss2BjtU8Y', 'QuR2ZIfiPe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bukti_Transfer...pdf.exe.477c088.3.raw.unpack, oC0CavAPDUC4fsMOO6.cs	High entropy of concatenated method names: 'pskmRFCh94', 'gR1mrmFGtc', 'biWm4lNHTq', 'nkZmA4SP9s', 'aPomDgtMKx', 'C4pmG2qh93', 'xqfmId758B', 'vFQmjQ76hI', 'AKPmBnUlQN', 's3Jm2bDHcS'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, IaSsLW8eHVaf8frNXP.cs	High entropy of concatenated method names: 'BQJBDoTv5T', 'NvYBI7lph5', 'IT9BBgX8nx', 'M0yBT4VWyR', 'QaUBhgOK0U', 'wERBLNUewC', 'Dispose', 'GrQjQPjSJg', 'mGkjqbaD3E', 'UW0jmlVOkP'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, miGWcExx9v9K4L1Bjyb.cs	High entropy of concatenated method names: 'Qda2p91YjG', 'LiR2zxFTby', 'lXOTtNSKpC', 'sVgTx6fONN', 'JULTcgicPb', 'SGhTHwa4NK', 'sHoTlbvuXs', 'YPqTPmdXxa', 'tUuTQ32sLD', 'AYgTqiGeh9'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, AwDGCNzBynZ6Ehidob.cs	High entropy of concatenated method names: 'YO82rnkeFt', 'YFr24JU7aW', 'zDd2A5VMO3', 'z0H26OWNPD', 'gTY2XbVsGw', 'fnP2Ja1MDB', 'DYt213FpGg', 'O1X2LWgpd2', 'YcG2fabOeG', 'nu92okRUx2'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, CbxohvlAB82Biw87Y8.cs	High entropy of concatenated method names: 'zSMxFwvgxw', 'dgXxZTPcYW', 'APDxCUC4fs', 'TOOxV6xymO', 'dTBxDujkpi', 'JQRxGmlHIM', 'thmrTGq8tfqs2mB0ab', 'SjvGpJWiT0bjsoUvSZ', 'vt8xxSHFLK', 'EclxHlceDQ'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, fXLqJaZr3ZehgnqFmw.cs	High entropy of concatenated method names: 'LTuHP8taRE', 'Jr0HQhyv9t', 'RW0Hqiajyf', 'i7JHmDZ4MR', 'nSNHY29OCK', 'o3JHUByZn8', 'e5uHFRwFFs', 'wEqHZIclfa', 'Ns5H5K5jVA', 'of1HCeytXs'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, TZUF1XKt7kKv7V88au.cs	High entropy of concatenated method names: 'GDZFQvtXT8', 'NI0Fmwtmf2', 'qcfFU96Qa6', 'mdSUphcFyJ', 'QPDUzTwxy1', 'CiDFtWg17L', 'd5FFxogmk3', 'RivFc8JFtg', 'RiWFHdF9nW', 'nDeFljhivr'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, Opi1QR6mlHIM353G6s.cs	High entropy of concatenated method names: 'KrTUPL4236', 'fTAUqbO57T', 'XZqUYOdJVh', 'dCaUFyObEa', 'oUDUZIV9lQ', 'qsoYdqcGwN', 'QhYY0F4lnX', 'bElY84kvur', 'YVYYEtIiDo', 'nIBYOSfNsN'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, nnbrLvnLOKs5lGOW5V.cs	High entropy of concatenated method names: 'ER0W4qcDAS', 'go6WA3p2cY', 'RuKW6SsdeH', 'caaWXXv8D3', 'xffWJ6mK7P', 'HGxW1K8FJr', 'qFDWKLrT9u', 'DsyWbLqAZC', 'CcBWSGHFZN', 'dQ0Wk8kLC8'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, fpan69qLP81e0QSORl.cs	High entropy of concatenated method names: 'Dispose', 'mafxO8frNX', 'ILMcX6rT4s', 'LpPxccCkpN', 'eB1xpoeMVv', 'TGqxzbFPC8', 'ProcessDialogKey', 'iD4ctWMW8p', 'rkqcxSthMP', 'pi7ccqplKo'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, frh2muxtZwB0d6a1d5T.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Sl52kWIsTg', 'RX429agI4H', 'T7y2nkUIAg', 'Ro42NrOTt9', 'qST2yPOGlW', 'Dwr2iwrfXp', 'ThF2MHba9q'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, MsFfsfmPSWKMrhUb2v.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'VJvcOYItMG', 'fGjcpVXZw7', 'baFcz8tQ0f', 'BBLHtmDNsY', 'VYrHxJb6Ng', 'kU2HcEsXF8', 'DRXHH2s5SA', 'KYF2EVzcDQXFiDV2vH'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, XXjEqJg8MeSPvPXXL2.cs	High entropy of concatenated method names: 't9MFfWSLYT', 'egfFoRUc8N', 'vUVFwfyFSQ', 'Gr6FR2Y3Ca', 'gtbFv4OXsj', 'hVMFrmwIFv', 'GHyFe0qXPn', 'UTnF46xC13', 'mCHFAJ3s0w', 'SL1Fst8NuO'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, YMn9AKxHwMoIRxFyicj.cs	High entropy of concatenated method names: 'CXsTp6qvGA', 'K5LTzPnqfS', 'NtM3tlTOnS', 'LSevsnRmO2pxwa9wY2f', 'P1wq0qRX2vP6iqbN17F', 'v6kftDRHrfpqUypXd6n', 'lLSplhRqNJdTjrmNSPd', 'xUBLayRWoZ7G84mHyYL'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, pMa1C7N18slACZc2wG.cs	High entropy of concatenated method names: 'vxVDStXcJH', 'HHJD9RWAXO', 'P3lDNkWDfd', 'KqJDy4Z2oq', 'JuDDXZjx3R', 'mhxDu4S2sb', 'ALCDJ4oSS6', 'dKgD1SGVHB', 'bC4DauDgsE', 'pZYDKrFp0r'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, Twvgxw4lgXTPcYW2Tb.cs	High entropy of concatenated method names: 'X5bqNZadxv', 'fyEqygagu5', 'o3RqiC8r7I', 'crWqMqWsib', 'edCqdDtShe', 'Bg5q0Ogc9H', 'Oqtq8iMZ9D', 'cKFqElZXpY', 'l5sqOcI8eQ', 'Culqph7aYE'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, IOAVawxlKm0LBHPjgbc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VZP3BC2gWZ', 'aMx322jdAN', 'k7R3TSYG8a', 'Sqw332wirJ', 'NrC3h0lmWp', 'GgK37ELchf', 'HC63LIT0PM'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, DWMW8pOBkqSthMPGi7.cs	High entropy of concatenated method names: 'OBSB6NC0hf', 'qaJBX8SqdQ', 'fA8Bu41IpX', 'rRKBJOnkky', 'he7B1B5xm7', 'HBPBaRN7e4', 'RkhBKwUhy2', 'b7lBbjsZAd', 'miFBgfUebQ', 'tvUBSmi4c7'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, Q5Xx6ocReFAJ6LIDeR.cs	High entropy of concatenated method names: 'dwvwSRZ9y', 'yPdRgxj1K', 'tyqrOkBgw', 'q06eEbo3v', 'msfALvw0c', 'HQ1sAytlC', 'sXqCFY5xrvVpk3h8Mt', 'cRQUnDwUy09xFEoKX7', 'DBFFxccEOXoNReaIOD', 'cwXj06aO7'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, aVYc9U0dKqwV3XvNCZ.cs	High entropy of concatenated method names: 'oDyIEHVuPt', 'qJ7Ipm09tM', 'YC0jthGmLQ', 'w2bjxYAddl', 'bUJIkpFa5q', 'gX4I9FUH4w', 'GTuIn0buMc', 'RdrINqhww4', 'gloIy0Yrg3', 'IHOIi6nmSP'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, fplKo2pu6SkeJ6Yr4A.cs	High entropy of concatenated method names: 'oQu2mAulfL', 'Foi2Y5kQNU', 'vCK2USpZjt', 'WIm2FUlYMv', 'Sss2BjtU8Y', 'QuR2ZIfiPe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bukti_Transfer...pdf.exe.78c0000.5.raw.unpack, oC0CavAPDUC4fsMOO6.cs	High entropy of concatenated method names: 'pskmRFCh94', 'gR1mrmFGtc', 'biWm4lNHTq', 'nkZmA4SP9s', 'aPomDgtMKx', 'C4pmG2qh93', 'xqfmId758B', 'vFQmjQ76hI', 'AKPmBnUlQN', 's3Jm2bDHcS'

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_004063C6 ShellExecuteW,URLDownloadToFileW,

11_2_004063C6

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

File created: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp"

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_00418A00

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

11_2_0041A8DA

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 6884, type: MEMORYSTR

Delayed program exit found

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_0040E18D Sleep,ExitProcess,

11_2_0040E18D

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory allocated: 10C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory allocated: 9060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory allocated: A060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory allocated: A270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory allocated: B270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory allocated: B690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory allocated: C690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory allocated: D690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Memory allocated: 47B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Memory allocated: 8930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Memory allocated: 6DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Memory allocated: 9930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Memory allocated: A930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Memory allocated: AF50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Memory allocated: BF50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

11_2_004186FE

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6578	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2998	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Window / User API: threadDelayed 9194	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Window / User API: foregroundWindowGot 1768	Jump to behavior

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

API coverage: 5.2 %

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7072	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe TID: 7164	Thread sleep count: 255 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe TID: 7164	Thread sleep time: -127500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe TID: 6196	Thread sleep count: 302 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe TID: 6196	Thread sleep time: -906000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe TID: 6196	Thread sleep count: 9194 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe TID: 6196	Thread sleep time: -27582000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe TID: 2836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0041A01B
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0040B28E
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_0040838E
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_004087A0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_00407848
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004068CD FindFirstFileW,FindNextFileW,	11_2_004068CD
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040AA71
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00417AAB
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040AC78

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00406D28

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: DpEFdRPYuiXBgv.exe, 00000007.00000002.1789728368.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_004327AE

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

11_2_0041A8DA

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_004407B5 mov eax, dword ptr fs:[00000030h]

11_2_004407B5

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

11_2_00410763

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_004327AE
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004328FC SetUnhandledExceptionFilter,	11_2_004328FC
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_004398AC
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: 11_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00432D5C

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe"
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Memory written: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Memory written: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

11_2_00410B5C

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_004175E1 mouse_event,

11_2_004175E1

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp1D58.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Process created: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe "C:\Users\user\Desktop\Bukti_Transfer...pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpEFdRPYuiXBgv" /XML "C:\Users\user\AppData\Local\Temp\tmp2670.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Process created: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe "C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe"	Jump to behavior

Source: Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000D13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000D13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerAC\
Source: Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000D13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000D13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers
Source: Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000D13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: Bukti_Transfer...pdf.exe, 00000006.00000002.4193882290.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, logs.dat.6.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_004329DA cpuid

11_2_004329DA

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: EnumSystemLocalesW,	11_2_0044F17B
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: EnumSystemLocalesW,	11_2_0044F130
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: EnumSystemLocalesW,	11_2_0044F216
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_0044F2A3
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: GetLocaleInfoA,	11_2_0040E2BB
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: GetLocaleInfoW,	11_2_0044F4F3
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_0044F61C
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: GetLocaleInfoW,	11_2_0044F723
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_0044F7F0
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: EnumSystemLocalesW,	11_2_00445914
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: GetLocaleInfoW,	11_2_00445E1C
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_0044EEB8

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Queries volume information: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_0040A0B0 GetLocalTime,wsprintfW,

11_2_0040A0B0

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_004195F8 GetUserNameW,

11_2_004195F8

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: 11_2_004468DC _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

11_2_004468DC

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4194398776.000000000281F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769826597.0000000003BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1770743205.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.0000000004352000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769826597.0000000004873000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.00000000040D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

11_2_0040A953

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		11_2_0040AA71
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Code function: \key3.db		11_2_0040AA71

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\Bukti_Transfer...pdf.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG6AC			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG6AC			Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.48e9170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.4352798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.DpEFdRPYuiXBgv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpEFdRPYuiXBgv.exe.40d8b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bukti_Transfer...pdf.exe.4873b50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4194398776.000000000281F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769826597.0000000003BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1770743205.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4193882290.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1769463250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.0000000004352000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769826597.0000000004873000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1793107257.00000000040D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bukti_Transfer...pdf.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpEFdRPYuiXBgv.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\user\AppData\Roaming\DpEFdRPYuiXBgv.exe

Code function: cmd.exe

11_2_0040567A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Windows Service	4 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	122 Process Injection	12 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	33 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	22 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	122 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bukti_Transfer...pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Bukti_Transfer...pdf.exe