Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1637437
MD5:d249e2b6f10508da70305bb27bbf43e6
SHA1:9a9948c0c7d4d90b2ac21925ac73372ac265fb99
SHA256:489a4758ea8e46736dc0f67da790eeba6d5244de889dcee5ff49dcd6e9929736
Tags:exeuser-jstrosch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Found evasive API chain checking for user administrative privileges
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Execution In Headless Mode
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6928 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D249E2B6F10508DA70305BB27BBF43E6)
    • chrome.exe (PID: 6104 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 2252 cmdline: "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --no-pre-read-main-dll --field-trial-handle=2016,i,5887734212717503347,3934441495540810161,262144 --disable-features=PaintHolding --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2060 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • recover.exe (PID: 7648 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\iajtsrgsebxssztvpisvuwyvnh" MD5: D38B657A068016768CA9F3B5E100B472)
    • recover.exe (PID: 7656 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\svolskrusjpwcnhzgsfxxbteowblk" MD5: D38B657A068016768CA9F3B5E100B472)
    • recover.exe (PID: 7672 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vxcelccngrhjftddqdrqiogvxctmlxvr" MD5: D38B657A068016768CA9F3B5E100B472)
    • recover.exe (PID: 7192 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\zgvoqthapwehbbwvasslabmm" MD5: D38B657A068016768CA9F3B5E100B472)
    • recover.exe (PID: 7200 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kaiyjmsudewmdpszrdfelggvrby" MD5: D38B657A068016768CA9F3B5E100B472)
    • recover.exe (PID: 7236 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\mcorkecvrmorovgcbozgottmahirzjo" MD5: D38B657A068016768CA9F3B5E100B472)
    • msedge.exe (PID: 7756 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)
      • msedge.exe (PID: 8016 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1536 --field-trial-handle=1408,i,18324159308857574355,16848231625671550438,262144 --disable-features=PaintHolding /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["remyma.duckdns.org:52507:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7J4RV4", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    file.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      file.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        file.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6bd58:$a1: Remcos restarted by watchdog!
        • 0x6c3a8:$a3: %02i:%02i:%02i:%03i
        file.exeREMCOS_RAT_variantsunknownunknown
        • 0x65ff4:$str_a1: C:\Windows\System32\cmd.exe
        • 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x66064:$str_b2: Executing file:
        • 0x66e9c:$str_b3: GetDirectListeningPort
        • 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x66a48:$str_b7: \update.vbs
        • 0x6608c:$str_b9: Downloaded file:
        • 0x66078:$str_b10: Downloading file:
        • 0x6611c:$str_b12: Failed to upload file:
        • 0x66e64:$str_b13: StartForward
        • 0x66e84:$str_b14: StopForward
        • 0x669a0:$str_b15: fso.DeleteFile "
        • 0x66934:$str_b16: On Error Resume Next
        • 0x669d0:$str_b17: fso.DeleteFolder "
        • 0x6610c:$str_b18: Uploaded file:
        • 0x660cc:$str_b19: Unable to delete:
        • 0x66968:$str_b20: while fso.FileExists("
        • 0x665a9:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              00000000.00000003.1133055587.0000000003D6A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                00000000.00000003.1130449971.0000000003AA3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  Click to see the 28 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.3.file.exe.37dcf40.9.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    0.3.file.exe.37dcf40.8.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                      5.2.recover.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        0.3.file.exe.383f560.16.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                          0.3.file.exe.37dcf40.7.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                            Click to see the 27 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
                            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^i^, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6928, ParentProcessName: file.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 6104, ProcessName: chrome.exe
                            Sigma detected: Browser Execution In Headless Mode
                            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^i^, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6928, ParentProcessName: file.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 6104, ProcessName: chrome.exe
                            Sigma detected: Browser Started with Remote Debugging
                            Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^i^, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6928, ParentProcessName: file.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 6104, ProcessName: chrome.exe

                            Stealing of Sensitive Information

                            barindex
                            Sigma detected: Remcos
                            Source: Registry Key setAuthor: Joe Security: Data: Details: 26 25 82 37 90 1B 85 BD 1B BF 3F 60 76 33 60 A0 A2 A6 C3 87 95 36 C4 01 83 6E 3C 32 CC 9E 17 93 7D 1E 4A C3 54 09 FB 62 09 ED 1C CA 33 C3 AB 09 A4 50 E6 7F 03 66 3F FA E7 A3 5F FC 52 37 9C 85 87 2B , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 6928, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-7J4RV4\exepath

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-13T16:24:45.615217+010020365941Malware Command and Control Activity Detected192.168.2.849682172.94.9.13252507TCP
                            2025-03-13T16:24:47.130551+010020365941Malware Command and Control Activity Detected192.168.2.849683172.94.9.13252507TCP
                            2025-03-13T16:24:47.134647+010020365941Malware Command and Control Activity Detected192.168.2.849684172.94.9.13252507TCP
                            2025-03-13T16:24:47.134695+010020365941Malware Command and Control Activity Detected192.168.2.849685172.94.9.13252507TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-13T16:24:47.595946+010028033043Unknown Traffic192.168.2.849686178.237.33.5080TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: file.exeAvira: detected
                            Antivirus detection for URL or domain
                            Source: remyma.duckdns.orgAvira URL Cloud: Label: malware
                            Found malware configuration
                            Source: file.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["remyma.duckdns.org:52507:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7J4RV4", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                            Multi AV Scanner detection for submitted file
                            Source: file.exeVirustotal: Detection: 80%Perma Link
                            Source: file.exeReversingLabs: Detection: 84%
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3525236730.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3525925643.000000000067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1059471953.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTR
                            Joe Sandbox ML detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00433B64
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00407687 GetProcAddress,FreeLibrary,CryptUnprotectData,5_2_00407687
                            Source: file.exe, 00000000.00000002.3525236730.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_cc8ca8c1-b

                            Exploits

                            barindex
                            Yara detected UAC Bypass using CMSTP
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3525236730.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1059471953.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTR

                            Privilege Escalation

                            barindex
                            Contains functionality to bypass UAC (CMSTPLUA)
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406ABC _wcslen,CoGetObject,0_2_00406ABC
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 151.101.66.132:443 -> 192.168.2.8:49687 version: TLS 1.2
                            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: recover.exe, recover.exe, 00000008.00000002.1204867164.0000000000400000.00000040.80000000.00040000.00000000.sdmp
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_004090DC
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B6B5
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041C7E5
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B8BA
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044E989 FindFirstFileExA,0_2_0044E989
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_00408CDE
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419CEE
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407EDD
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406F13 FindFirstFileW,FindNextFileW,0_2_00406F13
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041B10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_041B10F1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041B6580 FindFirstFileExA,0_2_041B6580
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10005B50 FindFirstFileW,FindNextFileW,FindNextFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_10005B50
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10007E40 Sleep,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_10007E40
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10019083 FindFirstFileExA,0_2_10019083
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10007510 FindFirstFileW,FindNextFileW,CreateFileW,FindNextFileW,FindClose,CloseHandle,FindClose,0_2_10007510
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040B477 FindFirstFileW,FindNextFileW,5_2_0040B477
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407EF8
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00407898
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0040B477 FindFirstFileW,FindNextFileW,8_2_0040B477
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407357
                            Source: chrome.exeMemory has grown: Private usage: 1MB later: 35MB

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49683 -> 172.94.9.132:52507
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49685 -> 172.94.9.132:52507
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49684 -> 172.94.9.132:52507
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49682 -> 172.94.9.132:52507
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: remyma.duckdns.org
                            Uses dynamic DNS services
                            Source: unknownDNS query: name: remyma.duckdns.org
                            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                            Source: Joe Sandbox ViewIP Address: 151.101.66.132 151.101.66.132
                            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                            Source: Joe Sandbox ViewASN Name: VOXILITYGB VOXILITYGB
                            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49686 -> 178.237.33.50:80
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
                            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
                            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
                            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
                            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
                            Source: unknownTCP traffic detected without corresponding DNS query: 13.107.253.72
                            Source: unknownTCP traffic detected without corresponding DNS query: 13.107.253.72
                            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
                            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.205.25.163
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062E2 ShellExecuteW,URLDownloadToFileW,0_2_004062E2
                            Source: global trafficHTTP traffic detected: GET /769eec76-38ee-469b-ae75-c9fdb78d6883/svhost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ucarecdn.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                            Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                            Source: file.exe, 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                            Source: file.exe, 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                            Source: file.exe, 00000000.00000002.3528394499.0000000004180000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000007.00000002.1143124800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000A.00000002.1193069875.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                            Source: recover.exe, 00000005.00000003.1183945083.000000000316D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000008.00000003.1204493348.0000000000FBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                            Source: recover.exe, 00000005.00000003.1183945083.000000000316D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000008.00000003.1204493348.0000000000FBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                            Source: file.exe, 00000000.00000002.3528394499.0000000004180000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000002.1143124800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000A.00000002.1193069875.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                            Source: recover.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                            Source: global trafficDNS traffic detected: DNS query: remyma.duckdns.org
                            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                            Source: global trafficDNS traffic detected: DNS query: ucarecdn.com
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://c.pki.goog/r/gsr1.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://c.pki.goog/r/r4.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://c.pki.goog/we2/64OUIVzpZV4.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                            Source: bhv580C.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                            Source: bhv580C.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                            Source: file.exe, 00000000.00000003.1094567250.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1107339225.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1101355104.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1124770883.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105337800.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104691268.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1094567250.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1103577818.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1094567250.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100945531.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125807339.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189765783.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104132598.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1109342518.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3526166454.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1094651755.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://geoplugin.net/json.gp
                            Source: file.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                            Source: file.exe, 00000000.00000003.1102923180.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1094567250.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1107339225.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1101355104.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1124770883.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105337800.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104691268.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1103577818.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100945531.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125807339.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189765783.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104132598.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1109342518.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3526166454.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.00000000006CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpQ/
                            Source: file.exe, 00000000.00000003.1094567250.00000000006CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                            Source: file.exe, 00000000.00000003.1094567250.00000000006CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gplH/
                            Source: file.exe, 00000000.00000003.1094567250.0000000000700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpv
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://i.pki.goog/gsr1.crt0-
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://i.pki.goog/r4.crt0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://i.pki.goog/we2.crt0
                            Source: file.exe, 00000000.00000003.1104132598.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104691268.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://localhost:9222/json.G
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://o.pki.goog/we20%
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0:
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0H
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0I
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0Q
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://ocsp.msocsp.com0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://ocsp.msocsp.com0S
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://ocspx.digicert.com0E
                            Source: bhv580C.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0~
                            Source: file.exe, 00000000.00000002.3528394499.0000000004180000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000002.1143124800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000A.00000002.1193069875.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                            Source: file.exe, 00000000.00000002.3528394499.0000000004180000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000003.1142913057.000000000352D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000007.00000002.1143124800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000007.00000003.1138763037.000000000352D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000A.00000002.1193069875.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000A.00000003.1192732097.00000000031CD000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000A.00000003.1192812095.00000000031CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                            Source: recover.exe, 00000007.00000003.1142913057.000000000352D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000007.00000003.1138763037.000000000352D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000A.00000003.1192732097.00000000031CD000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000A.00000003.1192812095.00000000031CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                            Source: file.exe, 00000000.00000002.3528394499.0000000004180000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000007.00000002.1143124800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000A.00000002.1193069875.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                            Source: file.exe, 00000000.00000002.3528394499.0000000004180000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000007.00000002.1143124800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000A.00000002.1193069875.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                            Source: recover.exe, 00000005.00000002.1184398832.0000000000754000.00000004.00000010.00020000.00000000.sdmp, recover.exe, 00000008.00000002.1205010228.0000000000C32000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                            Source: recover.exe, 0000000A.00000002.1193069875.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8
                            Source: bhv580C.tmp.5.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LO
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                            Source: bhv580C.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
                            Source: bhv580C.tmp.5.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                            Source: file.exe, 00000000.00000003.1125807339.0000000000717000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189765783.0000000000717000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.0000000000717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                            Source: bhv580C.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                            Source: bhv580C.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                            Source: bhv580C.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                            Source: recover.exeString found in binary or memory: https://login.yahoo.com/config/login
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-08-30-16/PreSignInSettingsConfig.json
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=13164f2a9ee6956f1439
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=b92552
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                            Source: file.exe, 00000000.00000003.1109342518.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1101355104.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1108265714.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105337800.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1124770883.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105765330.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104132598.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1124770883.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1103577818.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104132598.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3526166454.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105337800.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1109342518.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102923180.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1101727594.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104691268.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102158946.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com/
                            Source: file.exe, 00000000.00000003.1099318256.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105765330.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104132598.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1124770883.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1103577818.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3526166454.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105337800.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1109342518.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102923180.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1101727594.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104691268.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102158946.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100945531.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125807339.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189765783.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com//i
                            Source: file.exe, 00000000.00000003.1102558467.00000000006CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com/769eec76-38ee-469b-ae75-c9fdb78d6883/svhost.exe
                            Source: file.exe, 00000000.00000003.2190076108.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105765330.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104132598.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1124770883.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1103577818.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105337800.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1109342518.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102923180.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1101727594.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104691268.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102158946.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100945531.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125807339.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189765783.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3526553931.00000000006F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com/769eec76-38ee-469b-ae75-c9fdb78d6883/svhost.exe#
                            Source: file.exe, 00000000.00000003.2190076108.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105765330.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104132598.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1124770883.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1103577818.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105337800.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1109342518.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102923180.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1101727594.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104691268.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102158946.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100945531.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125807339.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189765783.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3526553931.00000000006F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com/769eec76-38ee-469b-ae75-c9fdb78d6883/svhost.exe(
                            Source: file.exe, 00000000.00000002.3525925643.000000000067E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com/769eec76-38ee-469b-ae75-c9fdb78d6883/svhost.exe.exe
                            Source: file.exe, 00000000.00000003.2190076108.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105765330.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104132598.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1124770883.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1103577818.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105337800.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1109342518.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102923180.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1101727594.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104691268.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102158946.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100945531.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125807339.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189765783.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3526553931.00000000006F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com/769eec76-38ee-469b-ae75-c9fdb78d6883/svhost.exe?
                            Source: file.exe, 00000000.00000003.1099318256.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com/769eec76-38ee-469b-ae75-c9fdb78d6883/svhost.exeL
                            Source: file.exe, 00000000.00000002.3526166454.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104132598.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100945531.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1109342518.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1103577818.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1097731288.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104691268.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189765783.00000000006C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com/769eec76-38ee-469b-ae75-c9fdb78d6883/svhost.exeP
                            Source: file.exe, 00000000.00000003.2190076108.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105765330.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104132598.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1124770883.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1103577818.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105337800.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1109342518.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102923180.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1101727594.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1104691268.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102158946.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100945531.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125807339.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189765783.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3526553931.00000000006F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com/769eec76-38ee-469b-ae75-c9fdb78d6883/svhost.exeU
                            Source: file.exe, 00000000.00000003.1099318256.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucarecdn.com/ptography
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://www.digicert.com/CPS0
                            Source: file.exe, 00000000.00000002.3528394499.0000000004180000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000002.1143124800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000A.00000002.1193069875.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                            Source: recover.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drString found in binary or memory: https://www.office.com/
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                            Source: unknownHTTPS traffic detected: 151.101.66.132:443 -> 192.168.2.8:49687 version: TLS 1.2

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Contains functionality to register a low level keyboard hook
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,000000000_2_00409D1E
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B158
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_0041696E
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00409E39
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,5_2_00409EA1
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,6_2_00406DFC
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,6_2_00406E9F
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,7_2_004068B5
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,7_2_004072B5
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,8_2_00409E39
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,8_2_00409EA1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B158
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409E4A
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3525236730.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1059471953.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTR

                            E-Banking Fraud

                            barindex
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3525236730.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3525925643.000000000067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1059471953.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTR

                            Spam, unwanted Advertisements and Ransom Demands

                            barindex
                            Contains functionalty to change the wallpaper
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CF2D SystemParametersInfoW,0_2_0041CF2D

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: file.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: file.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: file.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 00000000.00000002.3525236730.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000000.00000000.1059471953.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_00418267
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041C077
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041C0A3
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10006EF0 OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_10006EF0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,5_2_0040BAE3
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004016FD NtdllDefWindowProc_A,6_2_004016FD
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004017B7 NtdllDefWindowProc_A,6_2_004017B7
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00402CAC NtdllDefWindowProc_A,7_2_00402CAC
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00402D66 NtdllDefWindowProc_A,7_2_00402D66
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,8_2_0040BAE3
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_00416861
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042809D0_2_0042809D
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045412B0_2_0045412B
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004421C00_2_004421C0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004281D70_2_004281D7
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043E1E00_2_0043E1E0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E29B0_2_0041E29B
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004373DA0_2_004373DA
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004383800_2_00438380
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004534720_2_00453472
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042747E0_2_0042747E
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043E43D0_2_0043E43D
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004325A10_2_004325A1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043774C0_2_0043774C
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041F8090_2_0041F809
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004379F60_2_004379F6
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004279F50_2_004279F5
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044DAD90_2_0044DAD9
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00433C730_2_00433C73
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413CA00_2_00413CA0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00437CBD0_2_00437CBD
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043DD820_2_0043DD82
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00435F520_2_00435F52
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00437F780_2_00437F78
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043DFB10_2_0043DFB1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041BB5C10_2_041BB5C1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041C71940_2_041C7194
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100012CB0_2_100012CB
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000F1CE0_2_1000F1CE
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100322870_2_10032287
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000F3FD0_2_1000F3FD
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000B9500_2_1000B950
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10009AD00_2_10009AD0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1001FAEB0_2_1001FAEB
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10013BD00_2_10013BD0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10009D400_2_10009D40
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1001BF190_2_1001BF19
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044A0305_2_0044A030
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040612B5_2_0040612B
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0043E13D5_2_0043E13D
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044B1885_2_0044B188
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004422735_2_00442273
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044D3805_2_0044D380
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044A5F05_2_0044A5F0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004125F65_2_004125F6
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004065BF5_2_004065BF
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004086CB5_2_004086CB
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004066BC5_2_004066BC
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044D7605_2_0044D760
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00405A405_2_00405A40
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00449A405_2_00449A40
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00405AB15_2_00405AB1
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00405B225_2_00405B22
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044ABC05_2_0044ABC0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00405BB35_2_00405BB3
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00417C605_2_00417C60
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044CC705_2_0044CC70
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00418CC95_2_00418CC9
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044CDFB5_2_0044CDFB
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044CDA05_2_0044CDA0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044AE205_2_0044AE20
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00415E3E5_2_00415E3E
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00437F3B5_2_00437F3B
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004050386_2_00405038
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0041208C6_2_0041208C
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004050A96_2_004050A9
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0040511A6_2_0040511A
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0043C13A6_2_0043C13A
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004051AB6_2_004051AB
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004493006_2_00449300
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0040D3226_2_0040D322
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0044A4F06_2_0044A4F0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0043A5AB6_2_0043A5AB
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004136316_2_00413631
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004466906_2_00446690
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0044A7306_2_0044A730
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004398D86_2_004398D8
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004498E06_2_004498E0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0044A8866_2_0044A886
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0043DA096_2_0043DA09
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00438D5E6_2_00438D5E
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00449ED06_2_00449ED0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0041FE836_2_0041FE83
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00430F546_2_00430F54
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004050C27_2_004050C2
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004014AB7_2_004014AB
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004051337_2_00405133
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004051A47_2_004051A4
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004012467_2_00401246
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0040CA467_2_0040CA46
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004052357_2_00405235
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004032C87_2_004032C8
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004016897_2_00401689
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00402F607_2_00402F60
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044A0308_2_0044A030
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0040612B8_2_0040612B
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0043E13D8_2_0043E13D
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044B1888_2_0044B188
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004422738_2_00442273
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044D3808_2_0044D380
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044A5F08_2_0044A5F0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004125F68_2_004125F6
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004065BF8_2_004065BF
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004086CB8_2_004086CB
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004066BC8_2_004066BC
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044D7608_2_0044D760
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00405A408_2_00405A40
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00449A408_2_00449A40
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00405AB18_2_00405AB1
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00405B228_2_00405B22
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044ABC08_2_0044ABC0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00405BB38_2_00405BB3
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00417C608_2_00417C60
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044CC708_2_0044CC70
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00418CC98_2_00418CC9
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044CDFB8_2_0044CDFB
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044CDA08_2_0044CDA0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044AE208_2_0044AE20
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00415E3E8_2_00415E3E
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00437F3B8_2_00437F3B
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 004351E0 appears 55 times
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 00434ACF appears 44 times
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 00401F96 appears 49 times
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 1000A588 appears 36 times
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 00401EBF appears 36 times
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 1000B0E0 appears 32 times
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 00402117 appears 40 times
                            Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 0044DDB0 appears 66 times
                            Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00431D8F appears 32 times
                            Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00446866 appears 36 times
                            Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00418555 appears 68 times
                            Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 004186B6 appears 116 times
                            Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 004188FE appears 176 times
                            Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00422297 appears 42 times
                            Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00444B5A appears 37 times
                            Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00413025 appears 79 times
                            Source: file.exe, 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1128906590.0000000000726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1133055587.0000000003D6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1133375299.0000000003FAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000002.3527760214.00000000037EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1130449971.0000000003AA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1308415825.00000000037EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1207330519.0000000003E2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000002.3528394499.000000000419B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000002.3528116762.000000000404B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1207258098.0000000003C78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1206749061.000000000382B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1128270579.0000000002BE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exe, 00000000.00000003.1133227461.00000000037DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs file.exe
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: file.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: file.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: file.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 00000000.00000002.3525236730.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000000.00000000.1059471953.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@39/9@3/5
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,5_2_0041A225
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00417AD9
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,7_2_00410DE1
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,5_2_0041A6AF
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040C03C
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B9AB
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AC43
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\json[1].jsonJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-7J4RV4
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\TmpUserDataJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Rmc-7J4RV40_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: -Sys0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Rmc-7J4RV4-Sys0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Software\0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: TcG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Rmc-7J4RV4-Sys0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: $cG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: TcG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Exe0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Exe0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Rmc-7J4RV40_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: TcG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: TcG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Inj0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Inj0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: TcG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: lcG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: <cG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: <cG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: <cG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: p8h0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: p8h0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: <cG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: TcG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: exepath0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: p8h0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: TcG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: exepath0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: <cG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: licence0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: TcG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: 0aG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: l]G0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: System0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Administrator0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: User0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: TcG0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: del0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: del0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: del0_2_0040E560
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: TcG0_2_0040E560
                            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Windows\SysWOW64\recover.exeSystem information queried: HandleInformationJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: file.exe, 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133055587.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133375299.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1130449971.0000000003AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206511619.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206749061.000000000383F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125361441.0000000002BE1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3528176811.0000000004070000.00000040.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.1207330519.0000000003E2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                            Source: file.exe, 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133055587.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133375299.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3528018168.0000000003FB0000.00000040.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.1130449971.0000000003AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206511619.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206749061.000000000383F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125361441.0000000002BE1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3528176811.0000000004070000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                            Source: file.exe, 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133055587.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133375299.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1130449971.0000000003AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206511619.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206749061.000000000383F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3528176811.0000000004070000.00000040.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.1207330519.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207258098.0000000003C78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                            Source: file.exe, 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133055587.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133375299.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1130449971.0000000003AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206511619.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206749061.000000000383F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125361441.0000000002BE1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3528176811.0000000004070000.00000040.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.1207330519.0000000003E2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                            Source: file.exe, 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133055587.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133375299.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1130449971.0000000003AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206511619.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206749061.000000000383F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3528176811.0000000004070000.00000040.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.1207330519.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207258098.0000000003C78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                            Source: file.exe, 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133055587.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133375299.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1130449971.0000000003AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206511619.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206749061.000000000383F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3528176811.0000000004070000.00000040.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.1207330519.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207258098.0000000003C78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                            Source: recover.exe, 00000005.00000003.1182045729.000000000302B000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000005.00000003.1181999310.000000000301A000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000008.00000003.1204257202.0000000004A1F000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000008.00000003.1204374457.0000000004A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: file.exe, 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133055587.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1133375299.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1130449971.0000000003AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206511619.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1206749061.000000000383F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1125361441.0000000002BE1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3528176811.0000000004070000.00000040.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.1207330519.0000000003E2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                            Source: file.exeVirustotal: Detection: 80%
                            Source: file.exeReversingLabs: Detection: 84%
                            Source: C:\Windows\SysWOW64\recover.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --no-pre-read-main-dll --field-trial-handle=2016,i,5887734212717503347,3934441495540810161,262144 --disable-features=PaintHolding --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2060 /prefetch:3
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\iajtsrgsebxssztvpisvuwyvnh"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\svolskrusjpwcnhzgsfxxbteowblk"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vxcelccngrhjftddqdrqiogvxctmlxvr"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\zgvoqthapwehbbwvasslabmm"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kaiyjmsudewmdpszrdfelggvrby"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\mcorkecvrmorovgcbozgottmahirzjo"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
                            Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1536 --field-trial-handle=1408,i,18324159308857574355,16848231625671550438,262144 --disable-features=PaintHolding /prefetch:3
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\iajtsrgsebxssztvpisvuwyvnh"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\svolskrusjpwcnhzgsfxxbteowblk"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vxcelccngrhjftddqdrqiogvxctmlxvr"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\zgvoqthapwehbbwvasslabmm"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kaiyjmsudewmdpszrdfelggvrby"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\mcorkecvrmorovgcbozgottmahirzjo"Jump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --no-pre-read-main-dll --field-trial-handle=2016,i,5887734212717503347,3934441495540810161,262144 --disable-features=PaintHolding --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2060 /prefetch:3Jump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1536 --field-trial-handle=1408,i,18324159308857574355,16848231625671550438,262144 --disable-features=PaintHolding /prefetch:3Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: vaultcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: vaultcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: recover.exe, recover.exe, 00000008.00000002.1204867164.0000000000400000.00000040.80000000.00040000.00000000.sdmp
                            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041D0CF
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004570CF push ecx; ret 0_2_004570E2
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00435226 push ecx; ret 0_2_00435239
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00457A00 push eax; ret 0_2_00457A1E
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041B2806 push ecx; ret 0_2_041B2819
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000B126 push ecx; ret 0_2_1000B139
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1002344D push esi; ret 0_2_10023456
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00446B75 push ecx; ret 5_2_00446B85
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00452BB4 push eax; ret 5_2_00452BC1
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044DDB0 push eax; ret 5_2_0044DDC4
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044DDB0 push eax; ret 5_2_0044DDEC
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0044B090 push eax; ret 6_2_0044B0A4
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0044B090 push eax; ret 6_2_0044B0CC
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00451D34 push eax; ret 6_2_00451D41
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00444E71 push ecx; ret 6_2_00444E81
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00414060 push eax; ret 7_2_00414074
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00414060 push eax; ret 7_2_0041409C
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00414039 push ecx; ret 7_2_00414049
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004164EB push 0000006Ah; retf 7_2_004165C4
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00416553 push 0000006Ah; retf 7_2_004165C4
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00416555 push 0000006Ah; retf 7_2_004165C4
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00446B75 push ecx; ret 8_2_00446B85
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00452BB4 push eax; ret 8_2_00452BC1
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044DDB0 push eax; ret 8_2_0044DDC4
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044DDB0 push eax; ret 8_2_0044DDEC
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062E2 ShellExecuteW,URLDownloadToFileW,0_2_004062E2
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AC43
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041D0CF
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Found evasive API chain checking for user administrative privileges
                            Source: C:\Users\user\Desktop\file.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_0-70917
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,5_2_0040BAE3
                            Source: C:\Users\user\Desktop\file.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A941
                            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 5200Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 4680Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-68942
                            Source: C:\Users\user\Desktop\file.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-71388
                            Source: C:\Windows\SysWOW64\recover.exeAPI coverage: 9.7 %
                            Source: C:\Users\user\Desktop\file.exe TID: 6996Thread sleep count: 5200 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6996Thread sleep time: -15600000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6324Thread sleep count: 78 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6996Thread sleep count: 4680 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6996Thread sleep time: -14040000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_004090DC
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B6B5
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041C7E5
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B8BA
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044E989 FindFirstFileExA,0_2_0044E989
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_00408CDE
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419CEE
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407EDD
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406F13 FindFirstFileW,FindNextFileW,0_2_00406F13
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041B10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_041B10F1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041B6580 FindFirstFileExA,0_2_041B6580
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10005B50 FindFirstFileW,FindNextFileW,FindNextFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_10005B50
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10007E40 Sleep,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_10007E40
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10019083 FindFirstFileExA,0_2_10019083
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10007510 FindFirstFileW,FindNextFileW,CreateFileW,FindNextFileW,FindClose,CloseHandle,FindClose,0_2_10007510
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040B477 FindFirstFileW,FindNextFileW,5_2_0040B477
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407EF8
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00407898
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0040B477 FindFirstFileW,FindNextFileW,8_2_0040B477
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407357
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0041A8D8 memset,GetSystemInfo,5_2_0041A8D8
                            Source: file.exe, 00000000.00000003.1109342518.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1094567250.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190076108.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1101355104.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1099318256.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1108265714.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1105337800.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1102558467.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1124770883.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189765783.0000000000700000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: bhv6CEC.tmp.8.dr, bhv580C.tmp.5.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                            Source: C:\Windows\SysWOW64\recover.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043B88D
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,5_2_0040BAE3
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041D0CF
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004438F4 mov eax, dword ptr fs:[00000030h]0_2_004438F4
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041B4AB4 mov eax, dword ptr fs:[00000030h]0_2_041B4AB4
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1001502C mov eax, dword ptr fs:[00000030h]0_2_1001502C
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,0_2_00411999
                            Source: C:\Windows\SysWOW64\recover.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00435398
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043B88D
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434D6E
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434F01 SetUnhandledExceptionFilter,0_2_00434F01
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041B2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_041B2639
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041B60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_041B60E2
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_041B2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_041B2B1C
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000B279 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_1000B279
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000DD9A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_1000DD9A
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000AFB3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_1000AFB3

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Contains functionality to inject code into remote processes
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_00418267
                            Maps a DLL or memory area into another process
                            Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                            Sample uses process hollowing technique
                            Source: C:\Users\user\Desktop\file.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                            Writes to foreign memory regions
                            Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 9DA008Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 974008Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\SysWOW64\recover.exe base: CA5008Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\SysWOW64\recover.exe base: A16008Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\SysWOW64\recover.exe base: B00008Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 858008Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle, explorer.exe0_2_10007360
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004197D9 mouse_event,0_2_004197D9
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\iajtsrgsebxssztvpisvuwyvnh"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\svolskrusjpwcnhzgsfxxbteowblk"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vxcelccngrhjftddqdrqiogvxctmlxvr"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\zgvoqthapwehbbwvasslabmm"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kaiyjmsudewmdpszrdfelggvrby"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\mcorkecvrmorovgcbozgottmahirzjo"Jump to behavior
                            Source: file.exe, 00000000.00000003.2189738390.0000000000752000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3527142661.0000000000755000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189605792.0000000000738000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerTx
                            Source: file.exe, 00000000.00000002.3527142661.0000000000755000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                            Source: file.exe, 00000000.00000003.2189738390.0000000000752000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189605792.0000000000738000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerYx
                            Source: file.exe, 00000000.00000003.2189738390.0000000000752000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189605792.0000000000738000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager-x
                            Source: file.exe, 00000000.00000003.2189738390.0000000000752000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3527142661.0000000000755000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189605792.0000000000738000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNx
                            Source: file.exe, 00000000.00000002.3527142661.0000000000755000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager"x
                            Source: file.exe, 00000000.00000003.2189738390.0000000000752000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3527142661.0000000000755000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189605792.0000000000738000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerfx
                            Source: file.exe, 00000000.00000002.3527142661.0000000000755000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager(x
                            Source: file.exe, 00000000.00000002.3527142661.0000000000755000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager;x
                            Source: file.exe, 00000000.00000003.1127649317.0000000002C5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1126500100.0000000002C5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3525925643.000000000067E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                            Source: file.exe, 00000000.00000002.3527142661.0000000000755000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager}
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00435034 cpuid 0_2_00435034
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,0_2_0040F26B
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004520E2
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00452097
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0045217D
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0045220A
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0044844E
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0045245A
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00452583
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0045268A
                            Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452757
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00448937
                            Source: C:\Users\user\Desktop\file.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451E1F
                            Source: C:\Windows\SysWOW64\recover.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404961 GetLocalTime,CreateEventA,CreateThread,0_2_00404961
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041BB0E GetComputerNameExW,GetUserNameW,0_2_0041BB0E
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_004491DA
                            Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004192F2 GetVersionExW,5_2_004192F2
                            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3525236730.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3525925643.000000000067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1059471953.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTR
                            Contains functionality to steal Chrome passwords or cookies
                            Source: C:\Users\user\Desktop\file.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B59B
                            Contains functionality to steal Firefox passwords or cookies
                            Source: C:\Users\user\Desktop\file.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B6B5
                            Source: C:\Users\user\Desktop\file.exeCode function: \key3.db0_2_0040B6B5
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                            Tries to steal Instant Messenger accounts or passwords
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                            Tries to steal Mail credentials (via file / registry access)
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                            Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                            Tries to steal Mail credentials (via file registry)
                            Source: C:\Windows\SysWOW64\recover.exeCode function: ESMTPPassword6_2_004033F0
                            Source: C:\Windows\SysWOW64\recover.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword6_2_00402DB3
                            Source: C:\Windows\SysWOW64\recover.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword6_2_00402DB3
                            Yara detected WebBrowserPassView password recovery tool
                            Source: Yara matchFile source: 0.3.file.exe.37dcf40.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.37dcf40.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.383f560.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.37dcf40.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.37def80.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.383f560.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.383f560.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.37def80.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.4070000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.383f560.13.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.4070000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.3ab0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.383f560.14.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.383f560.16.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.file.exe.37def80.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000003.1207192327.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1207120382.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1126311531.00000000037DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1133055587.0000000003D6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1130449971.0000000003AA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1184285044.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1133375299.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1206511619.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1206749061.000000000383F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3528176811.0000000004070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1207330519.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.1204867164.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1125660341.0000000000726000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1206570655.000000000383F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1207258098.0000000003C78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3527852978.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1133227461.00000000037DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: recover.exe PID: 7648, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: recover.exe PID: 7192, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Attempt to bypass Chrome Application-Bound Encryption
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
                            Detected Remcos RAT
                            Source: C:\Users\user\Desktop\file.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-7J4RV4Jump to behavior
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3525236730.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3525925643.000000000067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1059471953.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTR
                            Source: C:\Users\user\Desktop\file.exeCode function: cmd.exe0_2_00405091

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                            Native API                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		2
                            OS Credential Dumping                            		2
                            System Time Discovery                            		Remote Services11
                            Archive Collected Data                            		12
                            Ingress Tool Transfer                            		Exfiltration Over Other Network Medium1
                            System Shutdown/Reboot
                            CredentialsDomainsDefault Accounts1
                            Shared Modules                            		1
                            Windows Service                            		1
                            Bypass User Account Control                            		2
                            Obfuscated Files or Information                            		111
                            Input Capture                            		11
                            Account Discovery                            		Remote Desktop Protocol1
                            Data from Local System                            		21
                            Encrypted Channel                            		Exfiltration Over Bluetooth1
                            Defacement
                            Email AddressesDNS ServerDomain Accounts13
                            Command and Scripting Interpreter                            		Logon Script (Windows)1
                            Extra Window Memory Injection                            		1
                            DLL Side-Loading                            		2
                            Credentials in Registry                            		1
                            System Service Discovery                            		SMB/Windows Admin Shares1
                            Email Collection                            		2
                            Remote Access Software                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal Accounts2
                            Service Execution                            		Login Hook1
                            Access Token Manipulation                            		1
                            Bypass User Account Control                            		3
                            Credentials In Files                            		3
                            File and Directory Discovery                            		Distributed Component Object Model111
                            Input Capture                            		2
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                            Windows Service                            		1
                            Extra Window Memory Injection                            		LSA Secrets38
                            System Information Discovery                            		SSH3
                            Clipboard Data                            		23
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts422
                            Process Injection                            		1
                            Masquerading                            		Cached Domain Credentials31
                            Security Software Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            Virtualization/Sandbox Evasion                            		DCSync1
                            Virtualization/Sandbox Evasion                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            Access Token Manipulation                            		Proc Filesystem4
                            Process Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt422
                            Process Injection                            		/etc/passwd and /etc/shadow1
                            Application Window Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                            System Owner/User Discovery                            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637437 Sample: file.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 26 remyma.duckdns.org 2->26 28 ucarecdn.com 2->28 30 geoplugin.net 2->30 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 48 10 other signatures 2->48 8 file.exe 4 26 2->8         started        signatures3 46 Uses dynamic DNS services 26->46 process4 dnsIp5 34 remyma.duckdns.org 172.94.9.132, 49682, 49683, 49684 VOXILITYGB United States 8->34 36 ucarecdn.com 151.101.66.132, 443, 49687 FASTLYUS United States 8->36 38 2 other IPs or domains 8->38 50 Contains functionality to bypass UAC (CMSTPLUA) 8->50 52 Detected Remcos RAT 8->52 54 Attempt to bypass Chrome Application-Bound Encryption 8->54 56 10 other signatures 8->56 12 recover.exe 1 8->12         started        15 recover.exe 1 8->15         started        17 recover.exe 1 8->17         started        19 5 other processes 8->19 signatures6 process7 dnsIp8 58 Tries to steal Instant Messenger accounts or passwords 12->58 60 Tries to steal Mail credentials (via file / registry access) 12->60 62 Tries to harvest and steal browser information (history, passwords, etc) 15->62 32 192.168.2.8, 138, 443, 49681 unknown unknown 19->32 64 Tries to steal Mail credentials (via file registry) 19->64 22 msedge.exe 19->22         started        24 chrome.exe 19->24         started        signatures9 process10

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.