Edit tour

Windows Analysis Report
Proforma fatura 19022025.exe

Overview

General Information

Sample name:	Proforma fatura 19022025.exe
Analysis ID:	1618877
MD5:	1049c1a137a7e86eb83b144e2c21a944
SHA1:	c36985770a9b9264fc5802fe134d0470feae1f15
SHA256:	9ff30e39c38ae46ea0f2ab5017fc68e32580aa9a8d7a237f98ecd5c3d8fefc34
Tags:	exeuser-threatcat_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

Proforma fatura 19022025.exe (PID: 3888 cmdline: "C:\Users\user\Desktop\Proforma fatura 19022025.exe" MD5: 1049C1A137A7E86EB83B144E2C21A944)

Proforma fatura 19022025.exe (PID: 1204 cmdline: "C:\Users\user\Desktop\Proforma fatura 19022025.exe" MD5: 1049C1A137A7E86EB83B144E2C21A944)

Proforma fatura 19022025.exe (PID: 3540 cmdline: "C:\Users\user\Desktop\Proforma fatura 19022025.exe" MD5: 1049C1A137A7E86EB83B144E2C21A944)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["176.65.144.154:3077:1"], "Assigned name": "CS 16", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HYB8WR", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.3728108630.0000000000F14000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.3729750031.0000000002A5F000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x2a11b8:$a1: Remcos restarted by watchdog! 0x3199d8:$a1: Remcos restarted by watchdog! 0x391e18:$a1: Remcos restarted by watchdog! 0x2a1730:$a3: %02i:%02i:%02i:%03i 0x319f50:$a3: %02i:%02i:%02i:%03i 0x392390:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Proforma fatura 19022025.exe PID: 3888	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Proforma fatura 19022025.exe PID: 3888	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Proforma fatura 19022025.exe PID: 3888	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Proforma fatura 19022025.exe PID: 3888	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Proforma fatura 19022025.exe PID: 3888	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x62aeb:$a1: Remcos restarted by watchdog! 0x63048:$a3: %02i:%02i:%02i:%03i 0x633f7:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Proforma fatura 19022025.exe PID: 3540	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Proforma fatura 19022025.exe PID: 3540	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Proforma fatura 19022025.exe PID: 3540	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Proforma fatura 19022025.exe PID: 3540	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xe997:$a1: Remcos restarted by watchdog! 0xeef4:$a3: %02i:%02i:%02i:%03i 0xf2ac:$a3: %02i:%02i:%02i:%03i
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
9.2.Proforma fatura 19022025.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.Proforma fatura 19022025.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.Proforma fatura 19022025.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.Proforma fatura 19022025.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
9.2.Proforma fatura 19022025.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
9.2.Proforma fatura 19022025.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
1.2.Proforma fatura 19022025.exe.48034b0.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.Proforma fatura 19022025.exe.48034b0.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.Proforma fatura 19022025.exe.48034b0.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.Proforma fatura 19022025.exe.48034b0.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69308:$a1: Remcos restarted by watchdog! 0x69880:$a3: %02i:%02i:%02i:%03i
1.2.Proforma fatura 19022025.exe.48034b0.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x63594:$str_a1: C:\Windows\System32\cmd.exe 0x63510:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63510:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63a10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64010:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63604:$str_b2: Executing file: 0x6444c:$str_b3: GetDirectListeningPort 0x63e00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63f80:$str_b7: \update.vbs 0x6362c:$str_b9: Downloaded file: 0x63618:$str_b10: Downloading file: 0x636bc:$str_b12: Failed to upload file: 0x64414:$str_b13: StartForward 0x64434:$str_b14: StopForward 0x63ed8:$str_b15: fso.DeleteFile " 0x63e6c:$str_b16: On Error Resume Next 0x63f08:$str_b17: fso.DeleteFolder " 0x636ac:$str_b18: Uploaded file: 0x6366c:$str_b19: Unable to delete: 0x63ea0:$str_b20: while fso.FileExists(" 0x63b49:$str_c0: [Firefox StoredLogins not found]
1.2.Proforma fatura 19022025.exe.48034b0.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63480:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63410:$s1: CoGetObject 0x63424:$s1: CoGetObject 0x63440:$s1: CoGetObject 0x6d080:$s1: CoGetObject 0x633d0:$s2: Elevation:Administrator!new:
1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0xe3528:$a1: Remcos restarted by watchdog! 0x15b968:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i 0xe3aa0:$a3: %02i:%02i:%02i:%03i 0x15bee0:$a3: %02i:%02i:%02i:%03i
1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd6a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x155ae0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0xdd630:$s1: CoGetObject 0xdd644:$s1: CoGetObject 0xdd660:$s1: CoGetObject 0xe72a0:$s1: CoGetObject 0x155a70:$s1: CoGetObject 0x155a84:$s1: CoGetObject 0x155aa0:$s1: CoGetObject 0x15f6e0:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new: 0xdd5f0:$s2: Elevation:Administrator!new: 0x155a30:$s2: Elevation:Administrator!new:
1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x127928:$a1: Remcos restarted by watchdog! 0x1a0148:$a1: Remcos restarted by watchdog! 0x218588:$a1: Remcos restarted by watchdog! 0x127ea0:$a3: %02i:%02i:%02i:%03i 0x1a06c0:$a3: %02i:%02i:%02i:%03i 0x218b00:$a3: %02i:%02i:%02i:%03i
1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x121aa0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x19a2c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x212700:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x121a30:$s1: CoGetObject 0x121a44:$s1: CoGetObject 0x121a60:$s1: CoGetObject 0x12b6a0:$s1: CoGetObject 0x19a250:$s1: CoGetObject 0x19a264:$s1: CoGetObject 0x19a280:$s1: CoGetObject 0x1a3ec0:$s1: CoGetObject 0x212690:$s1: CoGetObject 0x2126a4:$s1: CoGetObject 0x2126c0:$s1: CoGetObject 0x21c300:$s1: CoGetObject 0x1219f0:$s2: Elevation:Administrator!new: 0x19a210:$s2: Elevation:Administrator!new: 0x212650:$s2: Elevation:Administrator!new:
1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1e4548:$a1: Remcos restarted by watchdog! 0x25cd68:$a1: Remcos restarted by watchdog! 0x2d51a8:$a1: Remcos restarted by watchdog! 0x1e4ac0:$a3: %02i:%02i:%02i:%03i 0x25d2e0:$a3: %02i:%02i:%02i:%03i 0x2d5720:$a3: %02i:%02i:%02i:%03i
1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1de6c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x256ee0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2cf320:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1de650:$s1: CoGetObject 0x1de664:$s1: CoGetObject 0x1de680:$s1: CoGetObject 0x1e82c0:$s1: CoGetObject 0x256e70:$s1: CoGetObject 0x256e84:$s1: CoGetObject 0x256ea0:$s1: CoGetObject 0x260ae0:$s1: CoGetObject 0x2cf2b0:$s1: CoGetObject 0x2cf2c4:$s1: CoGetObject 0x2cf2e0:$s1: CoGetObject 0x2d8f20:$s1: CoGetObject 0x1de610:$s2: Elevation:Administrator!new: 0x256e30:$s2: Elevation:Administrator!new: 0x2cf270:$s2: Elevation:Administrator!new:
Click to see the 28 entries

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Proforma fatura 19022025.exe, ProcessId: 3540, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T09:16:22.041849+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49703	176.65.144.154	3077	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T09:16:24.017806+0100	2803304	3	Unknown Traffic	192.168.2.7	49707	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["176.65.144.154:3077:1"], "Assigned name": "CS 16", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HYB8WR", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for submitted file

Source: Proforma fatura 19022025.exe	ReversingLabs: Detection: 29%
Source: Proforma fatura 19022025.exe	Virustotal: Detection: 40%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3728108630.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3729750031.0000000002A5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

9_2_00432B45

Source: Proforma fatura 19022025.exe, 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_f4649c9d-d

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3540, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00406764 _wcslen,CoGetObject,

9_2_00406764

Source: Proforma fatura 19022025.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Proforma fatura 19022025.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Syvx.pdb source: Proforma fatura 19022025.exe
Source:	Binary string: Syvx.pdbSHA256Q source: Proforma fatura 19022025.exe

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_0040B335
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_0040B53A
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	9_2_0041B63A
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0044D7F9 FindFirstFileExA,	9_2_0044D7F9
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	9_2_004089A9
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00406AC2 FindFirstFileW,FindNextFileW,	9_2_00406AC2
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	9_2_00407A8C
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	9_2_00408DA7
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	9_2_00418E5F

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

9_2_00406F06

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 4x nop then jmp 02A10E6Ch

1_2_02A10AA9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49703 -> 176.65.144.154:3077

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 176.65.144.154

Source: global traffic

TCP traffic: 192.168.2.7:49703 -> 176.65.144.154:3077

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: PALTEL-ASPALTELAutonomousSystemPS PALTEL-ASPALTELAutonomousSystemPS

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49707 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.154
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00426302 recv,

9_2_00426302

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: Proforma fatura 19022025.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Proforma fatura 19022025.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F42000.00000004.00000020.00020000.00000000.sdmp, Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%
Source: Proforma fatura 19022025.exe, 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, Proforma fatura 19022025.exe, 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp8
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpR
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpc
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpndi
Source: Proforma fatura 19022025.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Proforma fatura 19022025.exe, 00000001.00000002.1282773582.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Proforma fatura 19022025.exe	String found in binary or memory: http://tempuri.org/DataTableUsers.xsd
Source: Proforma fatura 19022025.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

9_2_004099E4

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Proforma fatura 19022025.exe

Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00415B5E

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00415B5E

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00415B5E

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

9_2_00409B10

Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3540, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3728108630.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3729750031.0000000002A5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_0041BD82 SystemParametersInfoW,

9_2_0041BD82

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Proforma fatura 19022025.exe PID: 3888, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Proforma fatura 19022025.exe PID: 3540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

.NET source code contains very large strings

Source: Proforma fatura 19022025.exe, Form4.cs

Long String: Length: 169248

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,

9_2_00415A51

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_02A10300	1_2_02A10300
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_02A102F1	1_2_02A102F1
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_02A135C0	1_2_02A135C0
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_02A9E044	1_2_02A9E044
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_05CE8588	1_2_05CE8588
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_05CE8AE8	1_2_05CE8AE8
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_05CE0040	1_2_05CE0040
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_05CE0006	1_2_05CE0006
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_05CEB8F8	1_2_05CEB8F8
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_07455170	1_2_07455170
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_07450A20	1_2_07450A20
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_0745C750	1_2_0745C750
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_07455451	1_2_07455451
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_07455460	1_2_07455460
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_0745C328	1_2_0745C328
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_0745E240	1_2_0745E240
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_0745E230	1_2_0745E230
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_07455160	1_2_07455160
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_074541DF	1_2_074541DF
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_074541F0	1_2_074541F0
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_074541B9	1_2_074541B9
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_0745DE08	1_2_0745DE08
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_0745BEE1	1_2_0745BEE1
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_0745DDF7	1_2_0745DDF7
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_07452BF8	1_2_07452BF8
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_07450A10	1_2_07450A10
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_08A80A80	1_2_08A80A80
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_08A8F0A9	1_2_08A8F0A9
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_08A80A70	1_2_08A80A70
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0043D04B	9_2_0043D04B
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0042707E	9_2_0042707E
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0041301D	9_2_0041301D
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00441030	9_2_00441030
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00453110	9_2_00453110
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_004271B8	9_2_004271B8
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0041D27C	9_2_0041D27C
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_004522E2	9_2_004522E2
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0043D2A8	9_2_0043D2A8
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00437360	9_2_00437360
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_004363BA	9_2_004363BA
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0042645F	9_2_0042645F
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00431582	9_2_00431582
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0043672C	9_2_0043672C
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0041E7EA	9_2_0041E7EA
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0044C949	9_2_0044C949
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_004269D6	9_2_004269D6
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_004369D6	9_2_004369D6
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0043CBED	9_2_0043CBED
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00432C54	9_2_00432C54
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00436C9D	9_2_00436C9D
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0043CE1C	9_2_0043CE1C
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00436F58	9_2_00436F58
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00434F32	9_2_00434F32

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: String function: 004020E7 appears 40 times
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: String function: 00433AB0 appears 41 times
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: String function: 004341C0 appears 55 times
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: String function: 00401F66 appears 50 times

Source: Proforma fatura 19022025.exe

Static PE information: invalid certificate

Source: Proforma fatura 19022025.exe, 00000001.00000002.1281445623.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Proforma fatura 19022025.exe
Source: Proforma fatura 19022025.exe, 00000001.00000000.1267007356.0000000000762000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSyvx.exeF vs Proforma fatura 19022025.exe
Source: Proforma fatura 19022025.exe, 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Proforma fatura 19022025.exe
Source: Proforma fatura 19022025.exe, 00000001.00000002.1283332986.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Proforma fatura 19022025.exe
Source: Proforma fatura 19022025.exe, 00000001.00000002.1287729565.0000000007410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Proforma fatura 19022025.exe
Source: Proforma fatura 19022025.exe, 00000001.00000002.1288923182.000000000B460000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Proforma fatura 19022025.exe
Source: Proforma fatura 19022025.exe	Binary or memory string: OriginalFilenameSyvx.exeF vs Proforma fatura 19022025.exe

Source: Proforma fatura 19022025.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Proforma fatura 19022025.exe PID: 3888, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Proforma fatura 19022025.exe PID: 3540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: Proforma fatura 19022025.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, xhnrejH15o5YcLR2qX.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, xhnrejH15o5YcLR2qX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, xhnrejH15o5YcLR2qX.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, xhnrejH15o5YcLR2qX.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, xhnrejH15o5YcLR2qX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, xhnrejH15o5YcLR2qX.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, Fdp740NBDgVvVKeNjj.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, Fdp740NBDgVvVKeNjj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, Fdp740NBDgVvVKeNjj.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, Fdp740NBDgVvVKeNjj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, xhnrejH15o5YcLR2qX.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, xhnrejH15o5YcLR2qX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, xhnrejH15o5YcLR2qX.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, Fdp740NBDgVvVKeNjj.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, Fdp740NBDgVvVKeNjj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@5/3@1/2

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

9_2_00416C9D

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_0040E2F1 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

9_2_0040E2F1

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_0041A84A FindResourceA,LoadResource,LockResource,SizeofResource,

9_2_0041A84A

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

9_2_00419DBA

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma fatura 19022025.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-HYB8WR
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Mutant created: \Sessions\1\BaseNamedObjects\qQnKXLtOj
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: Proforma fatura 19022025.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Proforma fatura 19022025.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Proforma fatura 19022025.exe	ReversingLabs: Detection: 29%
Source: Proforma fatura 19022025.exe	Virustotal: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\Proforma fatura 19022025.exe "C:\Users\user\Desktop\Proforma fatura 19022025.exe"
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process created: C:\Users\user\Desktop\Proforma fatura 19022025.exe "C:\Users\user\Desktop\Proforma fatura 19022025.exe"
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process created: C:\Users\user\Desktop\Proforma fatura 19022025.exe "C:\Users\user\Desktop\Proforma fatura 19022025.exe"
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process created: C:\Users\user\Desktop\Proforma fatura 19022025.exe "C:\Users\user\Desktop\Proforma fatura 19022025.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process created: C:\Users\user\Desktop\Proforma fatura 19022025.exe "C:\Users\user\Desktop\Proforma fatura 19022025.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Proforma fatura 19022025.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Proforma fatura 19022025.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Proforma fatura 19022025.exe

Static file information: File size 1321480 > 1048576

Source: Proforma fatura 19022025.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13e800

Source: Proforma fatura 19022025.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Proforma fatura 19022025.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Syvx.pdb source: Proforma fatura 19022025.exe
Source:	Binary string: Syvx.pdbSHA256Q source: Proforma fatura 19022025.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: Proforma fatura 19022025.exe, Form4.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, xhnrejH15o5YcLR2qX.cs	.Net Code: QnAjp9U8rj System.Reflection.Assembly.Load(byte[])
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, xhnrejH15o5YcLR2qX.cs	.Net Code: QnAjp9U8rj System.Reflection.Assembly.Load(byte[])
Source: 1.2.Proforma fatura 19022025.exe.7410000.3.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, xhnrejH15o5YcLR2qX.cs	.Net Code: QnAjp9U8rj System.Reflection.Assembly.Load(byte[])

Source: Proforma fatura 19022025.exe

Static PE information: 0xD30F3C23 [Tue Mar 17 16:36:51 2082 UTC]

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

9_2_0041BEEE

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_02A119C0 push esp; retf	1_2_02A119C1
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 1_2_02A146FD push FFFFFF8Bh; iretd	1_2_02A146FF
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_004560BF push ecx; ret	9_2_004560D2
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00434206 push ecx; ret	9_2_00434219
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0045E669 push ecx; ret	9_2_0045E67B
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0045C9DD push esi; ret	9_2_0045C9E6
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_004569F0 push eax; ret	9_2_00456A0E

Source: Proforma fatura 19022025.exe

Static PE information: section name: .text entropy: 7.1279445637355385

Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, A5Vy0RzPcZVUnWMItq.cs	High entropy of concatenated method names: 'JIJEVI2ch4', 'NVQENyk2yy', 'KJ1EGCrmJ3', 'ABAEOTiMJf', 'xqrEaaBXYe', 'B6MExnyBhb', 'm28EDnPgLv', 'DkAEkqWssd', 'Mw3E7O99wX', 'aNCEogACIi'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, nOIaRF5uQiw6AgUE2i.cs	High entropy of concatenated method names: 'P6iyFboK5W', 'o7My17NVHS', 'DCByy5sMVU', 'MfCy88rl3l', 'd3OywTq4uY', 'uPgykMQp9e', 'Dispose', 'WViWM3nfI5', 'MENWdVp6Vj', 'cvYW69awle'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, kUXUdSlnKrZbhFYYd1.cs	High entropy of concatenated method names: 'kKAU7CL35Q', 'loZUo2nans', 'tbuUprnbqM', 'vqpUmIgVZB', 'qCoUJ0RVjx', 'B63UV3tbye', 'NwRUTp5ri7', 'onvUNp0vr6', 'PBmUG9HQeg', 'AtcUAVcZDy'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, jvr6EChfbnoi2Zq0Mh7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'acrEC83Uxc', 'CncE2MMNhs', 'bxDEcLsXhF', 'RoGErZNFhB', 'NZMEvh40lG', 'm6yE9u77rQ', 'eg5EZgeaMi'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, Fdp740NBDgVvVKeNjj.cs	High entropy of concatenated method names: 'rDmdr12IEB', 'FEZdv53Yf5', 'gM2d9vXHEr', 'My6dZFWHJQ', 'SLkdeQlgRG', 'zvTdLRORy1', 'n7Td5snw9U', 'UAMd3gEByj', 'VB4dQodfgh', 'urEdqyXbxO'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, LJLdIgdkP5vd8732w1.cs	High entropy of concatenated method names: 'Dispose', 'mw6hQAgUE2', 'Ox9sa7FuyT', 'H2QtknNEUl', 'mh1hqdgCSO', 'EmOhzp2OeC', 'ProcessDialogKey', 'D39sfoc0bS', 'FDHshkdPIv', 'hTBssIeVaH'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, OGw2dvsgGneu0d8NkU.cs	High entropy of concatenated method names: 'SVepbW2hn', 'LbfmKUDrL', 's5HVW89Xh', 'rxcTpmnLQ', 'TZJGj6H80', 'oOFAi9Jhx', 'gwfBep0n8moeEFB6rl', 'jMxA2ritGTg5BZcib1', 'de6Whf6qO', 'RN8E1rvBg'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, OlG4C79bRdgHPK5kZR.cs	High entropy of concatenated method names: 'ToString', 'qMruCGLcis', 'siPuaeQWwy', 'BTFugbiENt', 'vxauxWsmeF', 'TVeuDLrt5T', 'VRnuXudqIQ', 'yDEu0U1dwY', 'MG1ubtOZgG', 'T7cultGYSK'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, mMTZCNc8fnIa99UF3X.cs	High entropy of concatenated method names: 'v7uSNq2kxI', 'GhWSGUntLq', 'mvfSOPnrpm', 'WLySahjOit', 'xDQSxFukgS', 'YlsSDnMYlY', 'SdsS0gRfK3', 'UCHSbdwo6Y', 'l3oStDIC5u', 'qqhSCjjG19'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, xhnrejH15o5YcLR2qX.cs	High entropy of concatenated method names: 'b6YYBTlOUn', 'BXfYMlBZKK', 'JMMYdoYM7m', 'ouVY6Kcn5F', 'JkMYRragdZ', 'RADYIiMZiM', 'AeHYU6r5Du', 'wmfYHKCLwe', 'tXeY4neMvF', 'opCYiSUlKp'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, ieVaHLqbw4DeHxkIAN.cs	High entropy of concatenated method names: 'woXE6HGPsT', 'mY2ERW7tlY', 'SQZEIBuIne', 'rWmEUaSTOj', 'PMvEyfJiVC', 'WxSEHLcJ2j', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, lm2C8pLELC2vvRpudB.cs	High entropy of concatenated method names: 'qTo13iW4H8', 'fmI1qiUc82', 'AI4WfK6hik', 'rDGWhtexbP', 'y3T1Ck21Lo', 'qcU12ZYKnb', 'oBU1cQhl79', 'LcN1rCyHhP', 'be01vjAf1I', 'dtU19P40j7'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, tm5v5Thj37oe9Ml7mM4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PHbPyRk0vO', 'l0kPEQyC9k', 'uwXP8SOB5u', 'tp6PPyQNTF', 'vnWPwO5ibi', 'JmYPKC95fL', 'yYjPkTmXjs'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, H1aXJxOqxhIVvBXgGn.cs	High entropy of concatenated method names: 'vUSIBgSGqs', 'vhSIdDVvMT', 'iPbIRXEfLB', 'tBOIU8lYVt', 'HuyIHsGYSr', 'YRkReHUDoa', 'S1URLfaLfS', 'iIIR5MQ7wN', 'VItR3DumjT', 'RauRQEtXbI'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, DhHNMYj9WO2ZqZfFAb.cs	High entropy of concatenated method names: 'XGOhUdp740', 'eDghHVvVKe', 'P2qhipPO02', 't7KhnqB77Z', 'yBJhFXmg1a', 'KJxhuqxhIV', 'tdiEB1Y1LImwpm5oT1', 'QiZsxqOJcPtN97aLWW', 'R4dhhPBr3p', 'cRdhY1Sldu'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, k6syC2G2qpPO0287Kq.cs	High entropy of concatenated method names: 'Ttc6mo185o', 'pPE6VdQ4Aj', 't366N4xUMf', 'qjX6GYm3Ki', 'VWL6Fbioe7', 'Jel6uslmbs', 'gNM61o18b4', 'R5t6W8NZp8', 'pmZ6y3PwAA', 'nRp6EZo3aH'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, eOFP4Ur5KVRTgkvcB2.cs	High entropy of concatenated method names: 'm9qFtNfvvk', 'oT6F2eAkEM', 'vfqFrgll0F', 'immFvrtuOq', 'q1jFa4SaH1', 'sEVFg1DQNr', 'MBUFx568XN', 'lEcFDv6Cqa', 'lCLFXqWqA8', 'VBhF0oQOdU'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, Ho6IBG0jUv0VykI9Dh.cs	High entropy of concatenated method names: 'pnWUMApIbu', 'QArU6njqdo', 'WneUImJahF', 'YLgIqlX2DX', 'RS7Iz3iUyc', 'yUfUfZ42Yy', 'TsMUhgA5n5', 'EXtUskXyaG', 'Sx3UYfHaZq', 'OyaUjvdlJX'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, Toc0bSQADHkdPIv6TB.cs	High entropy of concatenated method names: 'dQKyOVDdwx', 'qPoyaQboXk', 'oXMygGpRCE', 'p8kyxRfnV8', 'Q0syD1SiY7', 'tE1yXTGLHA', 'M4Uy0r3LBq', 'DqiybGiqZr', 'BOPylAci01', 'BaAyth1hWk'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, H0ZVi5hhvoD51l9Pnh0.cs	High entropy of concatenated method names: 'APnEqBUj10', 'SaAEzUYfEY', 'zbn8fTRS5x', 'DoG8hujuSw', 'Vyj8sH52Y5', 'Exp8Yxi43n', 'WUy8jQrFU8', 'ksJ8Bglf7Q', 'jUK8MsATci', 'N6n8dDBuKm'
Source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, e77ZZHA2cafnNoBJXm.cs	High entropy of concatenated method names: 'eAURJo3WeO', 'XbhRTvcJoo', 'zol6gSnEql', 'juR6xo9RHT', 'aAQ6DFgG6h', 'Ojj6XSwfxr', 'sCm60Ljp9q', 'pMH6b2a3jU', 'pMP6lZScDL', 'FiB6tCNJay'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, A5Vy0RzPcZVUnWMItq.cs	High entropy of concatenated method names: 'JIJEVI2ch4', 'NVQENyk2yy', 'KJ1EGCrmJ3', 'ABAEOTiMJf', 'xqrEaaBXYe', 'B6MExnyBhb', 'm28EDnPgLv', 'DkAEkqWssd', 'Mw3E7O99wX', 'aNCEogACIi'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, nOIaRF5uQiw6AgUE2i.cs	High entropy of concatenated method names: 'P6iyFboK5W', 'o7My17NVHS', 'DCByy5sMVU', 'MfCy88rl3l', 'd3OywTq4uY', 'uPgykMQp9e', 'Dispose', 'WViWM3nfI5', 'MENWdVp6Vj', 'cvYW69awle'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, kUXUdSlnKrZbhFYYd1.cs	High entropy of concatenated method names: 'kKAU7CL35Q', 'loZUo2nans', 'tbuUprnbqM', 'vqpUmIgVZB', 'qCoUJ0RVjx', 'B63UV3tbye', 'NwRUTp5ri7', 'onvUNp0vr6', 'PBmUG9HQeg', 'AtcUAVcZDy'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, jvr6EChfbnoi2Zq0Mh7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'acrEC83Uxc', 'CncE2MMNhs', 'bxDEcLsXhF', 'RoGErZNFhB', 'NZMEvh40lG', 'm6yE9u77rQ', 'eg5EZgeaMi'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, Fdp740NBDgVvVKeNjj.cs	High entropy of concatenated method names: 'rDmdr12IEB', 'FEZdv53Yf5', 'gM2d9vXHEr', 'My6dZFWHJQ', 'SLkdeQlgRG', 'zvTdLRORy1', 'n7Td5snw9U', 'UAMd3gEByj', 'VB4dQodfgh', 'urEdqyXbxO'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, LJLdIgdkP5vd8732w1.cs	High entropy of concatenated method names: 'Dispose', 'mw6hQAgUE2', 'Ox9sa7FuyT', 'H2QtknNEUl', 'mh1hqdgCSO', 'EmOhzp2OeC', 'ProcessDialogKey', 'D39sfoc0bS', 'FDHshkdPIv', 'hTBssIeVaH'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, OGw2dvsgGneu0d8NkU.cs	High entropy of concatenated method names: 'SVepbW2hn', 'LbfmKUDrL', 's5HVW89Xh', 'rxcTpmnLQ', 'TZJGj6H80', 'oOFAi9Jhx', 'gwfBep0n8moeEFB6rl', 'jMxA2ritGTg5BZcib1', 'de6Whf6qO', 'RN8E1rvBg'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, OlG4C79bRdgHPK5kZR.cs	High entropy of concatenated method names: 'ToString', 'qMruCGLcis', 'siPuaeQWwy', 'BTFugbiENt', 'vxauxWsmeF', 'TVeuDLrt5T', 'VRnuXudqIQ', 'yDEu0U1dwY', 'MG1ubtOZgG', 'T7cultGYSK'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, mMTZCNc8fnIa99UF3X.cs	High entropy of concatenated method names: 'v7uSNq2kxI', 'GhWSGUntLq', 'mvfSOPnrpm', 'WLySahjOit', 'xDQSxFukgS', 'YlsSDnMYlY', 'SdsS0gRfK3', 'UCHSbdwo6Y', 'l3oStDIC5u', 'qqhSCjjG19'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, xhnrejH15o5YcLR2qX.cs	High entropy of concatenated method names: 'b6YYBTlOUn', 'BXfYMlBZKK', 'JMMYdoYM7m', 'ouVY6Kcn5F', 'JkMYRragdZ', 'RADYIiMZiM', 'AeHYU6r5Du', 'wmfYHKCLwe', 'tXeY4neMvF', 'opCYiSUlKp'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, ieVaHLqbw4DeHxkIAN.cs	High entropy of concatenated method names: 'woXE6HGPsT', 'mY2ERW7tlY', 'SQZEIBuIne', 'rWmEUaSTOj', 'PMvEyfJiVC', 'WxSEHLcJ2j', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, lm2C8pLELC2vvRpudB.cs	High entropy of concatenated method names: 'qTo13iW4H8', 'fmI1qiUc82', 'AI4WfK6hik', 'rDGWhtexbP', 'y3T1Ck21Lo', 'qcU12ZYKnb', 'oBU1cQhl79', 'LcN1rCyHhP', 'be01vjAf1I', 'dtU19P40j7'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, tm5v5Thj37oe9Ml7mM4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PHbPyRk0vO', 'l0kPEQyC9k', 'uwXP8SOB5u', 'tp6PPyQNTF', 'vnWPwO5ibi', 'JmYPKC95fL', 'yYjPkTmXjs'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, H1aXJxOqxhIVvBXgGn.cs	High entropy of concatenated method names: 'vUSIBgSGqs', 'vhSIdDVvMT', 'iPbIRXEfLB', 'tBOIU8lYVt', 'HuyIHsGYSr', 'YRkReHUDoa', 'S1URLfaLfS', 'iIIR5MQ7wN', 'VItR3DumjT', 'RauRQEtXbI'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, DhHNMYj9WO2ZqZfFAb.cs	High entropy of concatenated method names: 'XGOhUdp740', 'eDghHVvVKe', 'P2qhipPO02', 't7KhnqB77Z', 'yBJhFXmg1a', 'KJxhuqxhIV', 'tdiEB1Y1LImwpm5oT1', 'QiZsxqOJcPtN97aLWW', 'R4dhhPBr3p', 'cRdhY1Sldu'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, k6syC2G2qpPO0287Kq.cs	High entropy of concatenated method names: 'Ttc6mo185o', 'pPE6VdQ4Aj', 't366N4xUMf', 'qjX6GYm3Ki', 'VWL6Fbioe7', 'Jel6uslmbs', 'gNM61o18b4', 'R5t6W8NZp8', 'pmZ6y3PwAA', 'nRp6EZo3aH'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, eOFP4Ur5KVRTgkvcB2.cs	High entropy of concatenated method names: 'm9qFtNfvvk', 'oT6F2eAkEM', 'vfqFrgll0F', 'immFvrtuOq', 'q1jFa4SaH1', 'sEVFg1DQNr', 'MBUFx568XN', 'lEcFDv6Cqa', 'lCLFXqWqA8', 'VBhF0oQOdU'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, Ho6IBG0jUv0VykI9Dh.cs	High entropy of concatenated method names: 'pnWUMApIbu', 'QArU6njqdo', 'WneUImJahF', 'YLgIqlX2DX', 'RS7Iz3iUyc', 'yUfUfZ42Yy', 'TsMUhgA5n5', 'EXtUskXyaG', 'Sx3UYfHaZq', 'OyaUjvdlJX'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, Toc0bSQADHkdPIv6TB.cs	High entropy of concatenated method names: 'dQKyOVDdwx', 'qPoyaQboXk', 'oXMygGpRCE', 'p8kyxRfnV8', 'Q0syD1SiY7', 'tE1yXTGLHA', 'M4Uy0r3LBq', 'DqiybGiqZr', 'BOPylAci01', 'BaAyth1hWk'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, H0ZVi5hhvoD51l9Pnh0.cs	High entropy of concatenated method names: 'APnEqBUj10', 'SaAEzUYfEY', 'zbn8fTRS5x', 'DoG8hujuSw', 'Vyj8sH52Y5', 'Exp8Yxi43n', 'WUy8jQrFU8', 'ksJ8Bglf7Q', 'jUK8MsATci', 'N6n8dDBuKm'
Source: 1.2.Proforma fatura 19022025.exe.b460000.4.raw.unpack, e77ZZHA2cafnNoBJXm.cs	High entropy of concatenated method names: 'eAURJo3WeO', 'XbhRTvcJoo', 'zol6gSnEql', 'juR6xo9RHT', 'aAQ6DFgG6h', 'Ojj6XSwfxr', 'sCm60Ljp9q', 'pMH6b2a3jU', 'pMP6lZScDL', 'FiB6tCNJay'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, A5Vy0RzPcZVUnWMItq.cs	High entropy of concatenated method names: 'JIJEVI2ch4', 'NVQENyk2yy', 'KJ1EGCrmJ3', 'ABAEOTiMJf', 'xqrEaaBXYe', 'B6MExnyBhb', 'm28EDnPgLv', 'DkAEkqWssd', 'Mw3E7O99wX', 'aNCEogACIi'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, nOIaRF5uQiw6AgUE2i.cs	High entropy of concatenated method names: 'P6iyFboK5W', 'o7My17NVHS', 'DCByy5sMVU', 'MfCy88rl3l', 'd3OywTq4uY', 'uPgykMQp9e', 'Dispose', 'WViWM3nfI5', 'MENWdVp6Vj', 'cvYW69awle'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, kUXUdSlnKrZbhFYYd1.cs	High entropy of concatenated method names: 'kKAU7CL35Q', 'loZUo2nans', 'tbuUprnbqM', 'vqpUmIgVZB', 'qCoUJ0RVjx', 'B63UV3tbye', 'NwRUTp5ri7', 'onvUNp0vr6', 'PBmUG9HQeg', 'AtcUAVcZDy'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, jvr6EChfbnoi2Zq0Mh7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'acrEC83Uxc', 'CncE2MMNhs', 'bxDEcLsXhF', 'RoGErZNFhB', 'NZMEvh40lG', 'm6yE9u77rQ', 'eg5EZgeaMi'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, Fdp740NBDgVvVKeNjj.cs	High entropy of concatenated method names: 'rDmdr12IEB', 'FEZdv53Yf5', 'gM2d9vXHEr', 'My6dZFWHJQ', 'SLkdeQlgRG', 'zvTdLRORy1', 'n7Td5snw9U', 'UAMd3gEByj', 'VB4dQodfgh', 'urEdqyXbxO'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, LJLdIgdkP5vd8732w1.cs	High entropy of concatenated method names: 'Dispose', 'mw6hQAgUE2', 'Ox9sa7FuyT', 'H2QtknNEUl', 'mh1hqdgCSO', 'EmOhzp2OeC', 'ProcessDialogKey', 'D39sfoc0bS', 'FDHshkdPIv', 'hTBssIeVaH'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, OGw2dvsgGneu0d8NkU.cs	High entropy of concatenated method names: 'SVepbW2hn', 'LbfmKUDrL', 's5HVW89Xh', 'rxcTpmnLQ', 'TZJGj6H80', 'oOFAi9Jhx', 'gwfBep0n8moeEFB6rl', 'jMxA2ritGTg5BZcib1', 'de6Whf6qO', 'RN8E1rvBg'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, OlG4C79bRdgHPK5kZR.cs	High entropy of concatenated method names: 'ToString', 'qMruCGLcis', 'siPuaeQWwy', 'BTFugbiENt', 'vxauxWsmeF', 'TVeuDLrt5T', 'VRnuXudqIQ', 'yDEu0U1dwY', 'MG1ubtOZgG', 'T7cultGYSK'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, mMTZCNc8fnIa99UF3X.cs	High entropy of concatenated method names: 'v7uSNq2kxI', 'GhWSGUntLq', 'mvfSOPnrpm', 'WLySahjOit', 'xDQSxFukgS', 'YlsSDnMYlY', 'SdsS0gRfK3', 'UCHSbdwo6Y', 'l3oStDIC5u', 'qqhSCjjG19'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, xhnrejH15o5YcLR2qX.cs	High entropy of concatenated method names: 'b6YYBTlOUn', 'BXfYMlBZKK', 'JMMYdoYM7m', 'ouVY6Kcn5F', 'JkMYRragdZ', 'RADYIiMZiM', 'AeHYU6r5Du', 'wmfYHKCLwe', 'tXeY4neMvF', 'opCYiSUlKp'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, ieVaHLqbw4DeHxkIAN.cs	High entropy of concatenated method names: 'woXE6HGPsT', 'mY2ERW7tlY', 'SQZEIBuIne', 'rWmEUaSTOj', 'PMvEyfJiVC', 'WxSEHLcJ2j', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, lm2C8pLELC2vvRpudB.cs	High entropy of concatenated method names: 'qTo13iW4H8', 'fmI1qiUc82', 'AI4WfK6hik', 'rDGWhtexbP', 'y3T1Ck21Lo', 'qcU12ZYKnb', 'oBU1cQhl79', 'LcN1rCyHhP', 'be01vjAf1I', 'dtU19P40j7'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, tm5v5Thj37oe9Ml7mM4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PHbPyRk0vO', 'l0kPEQyC9k', 'uwXP8SOB5u', 'tp6PPyQNTF', 'vnWPwO5ibi', 'JmYPKC95fL', 'yYjPkTmXjs'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, H1aXJxOqxhIVvBXgGn.cs	High entropy of concatenated method names: 'vUSIBgSGqs', 'vhSIdDVvMT', 'iPbIRXEfLB', 'tBOIU8lYVt', 'HuyIHsGYSr', 'YRkReHUDoa', 'S1URLfaLfS', 'iIIR5MQ7wN', 'VItR3DumjT', 'RauRQEtXbI'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, DhHNMYj9WO2ZqZfFAb.cs	High entropy of concatenated method names: 'XGOhUdp740', 'eDghHVvVKe', 'P2qhipPO02', 't7KhnqB77Z', 'yBJhFXmg1a', 'KJxhuqxhIV', 'tdiEB1Y1LImwpm5oT1', 'QiZsxqOJcPtN97aLWW', 'R4dhhPBr3p', 'cRdhY1Sldu'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, k6syC2G2qpPO0287Kq.cs	High entropy of concatenated method names: 'Ttc6mo185o', 'pPE6VdQ4Aj', 't366N4xUMf', 'qjX6GYm3Ki', 'VWL6Fbioe7', 'Jel6uslmbs', 'gNM61o18b4', 'R5t6W8NZp8', 'pmZ6y3PwAA', 'nRp6EZo3aH'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, eOFP4Ur5KVRTgkvcB2.cs	High entropy of concatenated method names: 'm9qFtNfvvk', 'oT6F2eAkEM', 'vfqFrgll0F', 'immFvrtuOq', 'q1jFa4SaH1', 'sEVFg1DQNr', 'MBUFx568XN', 'lEcFDv6Cqa', 'lCLFXqWqA8', 'VBhF0oQOdU'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, Ho6IBG0jUv0VykI9Dh.cs	High entropy of concatenated method names: 'pnWUMApIbu', 'QArU6njqdo', 'WneUImJahF', 'YLgIqlX2DX', 'RS7Iz3iUyc', 'yUfUfZ42Yy', 'TsMUhgA5n5', 'EXtUskXyaG', 'Sx3UYfHaZq', 'OyaUjvdlJX'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, Toc0bSQADHkdPIv6TB.cs	High entropy of concatenated method names: 'dQKyOVDdwx', 'qPoyaQboXk', 'oXMygGpRCE', 'p8kyxRfnV8', 'Q0syD1SiY7', 'tE1yXTGLHA', 'M4Uy0r3LBq', 'DqiybGiqZr', 'BOPylAci01', 'BaAyth1hWk'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, H0ZVi5hhvoD51l9Pnh0.cs	High entropy of concatenated method names: 'APnEqBUj10', 'SaAEzUYfEY', 'zbn8fTRS5x', 'DoG8hujuSw', 'Vyj8sH52Y5', 'Exp8Yxi43n', 'WUy8jQrFU8', 'ksJ8Bglf7Q', 'jUK8MsATci', 'N6n8dDBuKm'
Source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, e77ZZHA2cafnNoBJXm.cs	High entropy of concatenated method names: 'eAURJo3WeO', 'XbhRTvcJoo', 'zol6gSnEql', 'juR6xo9RHT', 'aAQ6DFgG6h', 'Ojj6XSwfxr', 'sCm60Ljp9q', 'pMH6b2a3jU', 'pMP6lZScDL', 'FiB6tCNJay'

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00406128 ShellExecuteW,URLDownloadToFileW,

9_2_00406128

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

9_2_00419DBA

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

9_2_0041BEEE

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3888, type: MEMORYSTR

Delayed program exit found

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_0040E627 Sleep,ExitProcess,

9_2_0040E627

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Memory allocated: 8A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Memory allocated: 9A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Memory allocated: 9C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Memory allocated: AC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Memory allocated: B520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Memory allocated: C520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Memory allocated: D520000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

9_2_00419AB8

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239875	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239737	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239609	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239499	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239373	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239245	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239121	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239013	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 238906	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Window / User API: threadDelayed 1061	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Window / User API: threadDelayed 656	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Window / User API: threadDelayed 9337	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Window / User API: foregroundWindowGot 1766	Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -239875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -239737s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -239609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -239499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -239373s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -239245s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -239121s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -239013s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 6132	Thread sleep time: -238906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 4548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 7172	Thread sleep count: 206 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 7172	Thread sleep time: -103000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 7176	Thread sleep count: 200 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 7176	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 7176	Thread sleep count: 9337 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe TID: 7176	Thread sleep time: -28011000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_0040B335
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_0040B53A
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	9_2_0041B63A
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0044D7F9 FindFirstFileExA,	9_2_0044D7F9
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	9_2_004089A9
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00406AC2 FindFirstFileW,FindNextFileW,	9_2_00406AC2
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	9_2_00407A8C
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	9_2_00408DA7
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	9_2_00418E5F

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

9_2_00406F06

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239875	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239737	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239609	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239499	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239373	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239245	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239121	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 239013	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 238906	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Proforma fatura 19022025.exe, 00000009.00000002.3728735666.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728735666.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@58
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8$

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

API call chain: ExitProcess graph end node

graph_9-48957

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_0043A86D

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

9_2_0041BEEE

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00442764 mov eax, dword ptr fs:[00000030h]

9_2_00442764

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_0044EB3E GetProcessHeap,

9_2_0044EB3E

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00434378
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0043A86D
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00433D4F
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: 9_2_00433EE2 SetUnhandledExceptionFilter,	9_2_00433EE2

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Memory written: C:\Users\user\Desktop\Proforma fatura 19022025.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

9_2_0041100E

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_0041894A mouse_event,

9_2_0041894A

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process created: C:\Users\user\Desktop\Proforma fatura 19022025.exe "C:\Users\user\Desktop\Proforma fatura 19022025.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Process created: C:\Users\user\Desktop\Proforma fatura 19022025.exe "C:\Users\user\Desktop\Proforma fatura 19022025.exe"			Jump to behavior

Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerG
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerWR\19les;C:\Program Files (x8
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728735666.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerWR\UL
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerWR\7
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728735666.0000000000F57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerd^
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerT;.CMD;
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.dr	Binary or memory string: [Program Manager]
Source: Proforma fatura 19022025.exe, 00000009.00000002.3728108630.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerWR\

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00434015 cpuid

9_2_00434015

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: GetLocaleInfoA,	9_2_0040E751
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_0045107A
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: GetLocaleInfoW,	9_2_004512CA
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: EnumSystemLocalesW,	9_2_004472BE
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_004513F3
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: GetLocaleInfoW,	9_2_004514FA
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_004515C7
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: GetLocaleInfoW,	9_2_004477A7
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_00450C8F
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: EnumSystemLocalesW,	9_2_00450F52
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: EnumSystemLocalesW,	9_2_00450F07
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: EnumSystemLocalesW,	9_2_00450FED

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Queries volume information: C:\Users\user\Desktop\Proforma fatura 19022025.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_00404915 GetLocalTime,CreateEventA,CreateThread,

9_2_00404915

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_0041A9AD GetComputerNameExW,GetUserNameW,

9_2_0041A9AD

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: 9_2_0044804A _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

9_2_0044804A

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3728108630.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3729750031.0000000002A5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

9_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		9_2_0040B335
Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe	Code function: \key3.db		9_2_0040B335

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-HYB8WR

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Proforma fatura 19022025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.48034b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4746890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Proforma fatura 19022025.exe.4689c70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3728108630.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3728108630.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3729750031.0000000002A5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3725969093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1283332986.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Proforma fatura 19022025.exe PID: 3540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\user\Desktop\Proforma fatura 19022025.exe

Code function: cmd.exe

9_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	4 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	12 Software Packing	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	122 Process Injection	1 Timestomp	LSA Secrets	33 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	122 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Proforma fatura 19022025.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Proforma fatura 19022025.exe