Windows Analysis Report
17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Overview

General Information

Sample name: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Analysis ID: 1639137
MD5: 5ddb167da3d34815ee5b1da2bf5819bf
SHA1: 887e427fe7af2ba6461c3b30592097f56c7dd65c
SHA256: 124b893db4e3bc683c296095df39918daa94808e0b4043686d8f380a30c38cc8
Tags: base64-decodedexeRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Avira: detected
Antivirus detection for URL or domain
Source: qwertyuioplkjhgfdsazxcvbnm.ydns.eu Avira URL Cloud: Label: malware
Found malware configuration
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Malware Configuration Extractor: Remcos {"Host:Port:Password": ["qwertyuioplkjhgfdsazxcvbnm.ydns.eu:20908:1"], "Assigned name": "yk", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-QT7PRS", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "chrome", "Keylog folder": "remcos"}
Multi AV Scanner detection for submitted file
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Virustotal: Detection: 83% Perma Link
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe ReversingLabs: Detection: 80%
Yara detected Remcos RAT
Source: Yara match File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_00433B64
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_3de0b624-9

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00406ABC _wcslen,CoGetObject, 0_2_00406ABC
Uses 32bit PE files
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229212194.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230055288.00000000033A6000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229001679.0000000003755000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206354115.00000000035E3000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203737667.000000000330A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617413422.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206196035.00000000036F2000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229472522.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000002.00000002.1229227149.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 0_2_004090DC
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040B6B5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 0_2_0041C7E5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040B8BA
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0044E989 FindFirstFileExA, 0_2_0044E989
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 0_2_00408CDE
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00419CEE
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 0_2_00407EDD
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00406F13 FindFirstFileW,FindNextFileW, 0_2_00406F13
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_100010F1
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_10006580 FindFirstFileExA, 0_2_10006580
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0040B477 FindFirstFileW,FindNextFileW, 2_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 3_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 4_2_00407898
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00407357

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49720 -> 185.208.156.45:20908
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49719 -> 185.208.156.45:20908
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: qwertyuioplkjhgfdsazxcvbnm.ydns.eu
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 185.208.156.45:20908
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.208.156.45 185.208.156.45
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49721 -> 178.237.33.50:80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00427321 recv, 0_2_00427321
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: recover.exe, 00000002.00000002.1230088072.0000000004DD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logino equals www.facebook.com (Facebook)
Source: recover.exe, 00000002.00000002.1230088072.0000000004DD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logino equals www.yahoo.com (Yahoo)
Source: bhv7151.tmp.2.dr String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv7151.tmp.2.dr String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: global traffic DNS traffic detected: DNS query: qwertyuioplkjhgfdsazxcvbnm.ydns.eu
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: bhv7151.tmp.2.dr String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://c.pki.goog/we2/64OUIVzpZV4.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv7151.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv7151.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: bhv7151.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhv7151.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203354157.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203872761.0000000000758000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203872761.000000000072F000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229533676.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203258661.00000000007B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpM
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203354157.000000000072F000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.0000000000729000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203872761.000000000072F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpa
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203354157.000000000072F000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.0000000000729000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203872761.000000000072F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpll
Source: bhv7151.tmp.2.dr String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: bhv7151.tmp.2.dr String found in binary or memory: http://i.pki.goog/r4.crt0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://i.pki.goog/we2.crt0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://o.pki.goog/we20%
Source: bhv7151.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv7151.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv7151.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv7151.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv7151.tmp.2.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv7151.tmp.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv7151.tmp.2.dr String found in binary or memory: http://www.digicert.com/CPS0~
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000004.00000003.1208866200.000000000313D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000004.00000003.1209175844.000000000313D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 00000004.00000003.1208866200.000000000313D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000004.00000003.1209175844.000000000313D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.comta
Source: bhv7151.tmp.2.dr String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: recover.exe, 00000002.00000002.1229355796.00000000027B4000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: bhv7151.tmp.2.dr String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhv7151.tmp.2.dr String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhv7151.tmp.2.dr String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhv7151.tmp.2.dr String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhv7151.tmp.2.dr String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhv7151.tmp.2.dr String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhv7151.tmp.2.dr String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhv7151.tmp.2.dr String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhv7151.tmp.2.dr String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhv7151.tmp.2.dr String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhv7151.tmp.2.dr String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhv7151.tmp.2.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv7151.tmp.2.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv7151.tmp.2.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv7151.tmp.2.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv7151.tmp.2.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv7151.tmp.2.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
Source: bhv7151.tmp.2.dr String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv7151.tmp.2.dr String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: bhv7151.tmp.2.dr String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv7151.tmp.2.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv7151.tmp.2.dr String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv7151.tmp.2.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv7151.tmp.2.dr String found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
Source: bhv7151.tmp.2.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhv7151.tmp.2.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhv7151.tmp.2.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhv7151.tmp.2.dr String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv7151.tmp.2.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv7151.tmp.2.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv7151.tmp.2.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv7151.tmp.2.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhv7151.tmp.2.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: recover.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv7151.tmp.2.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv7151.tmp.2.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv7151.tmp.2.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv7151.tmp.2.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv7151.tmp.2.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv7151.tmp.2.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv7151.tmp.2.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhv7151.tmp.2.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhv7151.tmp.2.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhv7151.tmp.2.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: bhv7151.tmp.2.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhv7151.tmp.2.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhv7151.tmp.2.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhv7151.tmp.2.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv7151.tmp.2.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv7151.tmp.2.dr String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhv7151.tmp.2.dr String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: bhv7151.tmp.2.dr String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhv7151.tmp.2.dr String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhv7151.tmp.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: recover.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv7151.tmp.2.dr String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000 0_2_00409D1E
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard, 0_2_0040B158
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_0041696E
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 2_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 2_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 3_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 3_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 4_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 4_2_004072B5
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard, 0_2_0040B158
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 0_2_00409E4A
Yara detected Keylogger Generic
Source: Yara match File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041CF2D SystemParametersInfoW, 0_2_0041CF2D

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 0_2_00418267
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle, 0_2_0041C077
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle, 0_2_0041C0A3
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 2_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_004016FD NtdllDefWindowProc_A, 3_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_004017B7 NtdllDefWindowProc_A, 3_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00402CAC NtdllDefWindowProc_A, 4_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00402D66 NtdllDefWindowProc_A, 4_2_00402D66
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress, 0_2_00416861
Detected potential crypto function
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0042809D 0_2_0042809D
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0045412B 0_2_0045412B
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004421C0 0_2_004421C0
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004281D7 0_2_004281D7
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0043E1E0 0_2_0043E1E0
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041E29B 0_2_0041E29B
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004373DA 0_2_004373DA
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00438380 0_2_00438380
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00453472 0_2_00453472
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0042747E 0_2_0042747E
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0043E43D 0_2_0043E43D
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004325A1 0_2_004325A1
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0043774C 0_2_0043774C
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041F809 0_2_0041F809
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004379F6 0_2_004379F6
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004279F5 0_2_004279F5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0044DAD9 0_2_0044DAD9
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00433C73 0_2_00433C73
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00413CA0 0_2_00413CA0
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00437CBD 0_2_00437CBD
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0043DD82 0_2_0043DD82
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00435F52 0_2_00435F52
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00437F78 0_2_00437F78
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0043DFB1 0_2_0043DFB1
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_10017194 0_2_10017194
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_1000B5C1 0_2_1000B5C1
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044A030 2_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0040612B 2_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0043E13D 2_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044B188 2_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00442273 2_2_00442273
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044D380 2_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044A5F0 2_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_004125F6 2_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_004065BF 2_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_004086CB 2_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_004066BC 2_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044D760 2_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00405A40 2_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00449A40 2_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00405AB1 2_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00405B22 2_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044ABC0 2_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00405BB3 2_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00417C60 2_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044CC70 2_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00418CC9 2_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044CDFB 2_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044CDA0 2_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044AE20 2_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00415E3E 2_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00437F3B 2_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00405038 3_2_00405038
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0041208C 3_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_004050A9 3_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0040511A 3_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0043C13A 3_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_004051AB 3_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00449300 3_2_00449300
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0040D322 3_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0044A4F0 3_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0043A5AB 3_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00413631 3_2_00413631
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00446690 3_2_00446690
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0044A730 3_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_004398D8 3_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_004498E0 3_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0044A886 3_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0043DA09 3_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00438D5E 3_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00449ED0 3_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0041FE83 3_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00430F54 3_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_004050C2 4_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_004014AB 4_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00405133 4_2_00405133
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_004051A4 4_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00401246 4_2_00401246
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_0040CA46 4_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00405235 4_2_00405235
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_004032C8 4_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00401689 4_2_00401689
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00402F60 4_2_00402F60
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: String function: 004351E0 appears 55 times
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: String function: 00434ACF appears 44 times
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: String function: 00401F96 appears 49 times
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: String function: 00401EBF appears 34 times
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: String function: 00402117 appears 40 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 00413025 appears 79 times
Sample file is different than original file name gathered from version info
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.000000000294B000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230055288.00000000033A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229716312.00000000036D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229051760.000000000076A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.000000000076A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229320563.00000000036C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206354115.00000000035E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.0000000000729000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617493368.00000000036D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Uses 32bit PE files
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@2/2
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 2_2_0041A225
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_00417AD9
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle, 4_2_00410DE1
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 2_2_0041A6AF
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 0_2_0040C03C
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource, 0_2_0041B9AB
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_0041AC43
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Mutant created: \Sessions\1\BaseNamedObjects\chrome-QT7PRS
Source: C:\Windows\SysWOW64\recover.exe File created: C:\Users\user\AppData\Local\Temp\bhv7151.tmp Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: chrome-QT7PRS 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: -Sys 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: Software\ 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: $cG 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: Exe 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: Exe 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: chrome-QT7PRS 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: Inj 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: Inj 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: lcG 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: <cG 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: <cG 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: <cG 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: <cG 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: exepath 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: exepath 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: <cG 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: licence 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0aG 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: l]G 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: System 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: Administrator 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: User 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: del 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: del 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: del 0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Command line argument: 0Eo 0_2_0040E560
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\recover.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: recover.exe, 00000002.00000002.1230088072.0000000004DD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Virustotal: Detection: 83%
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe ReversingLabs: Detection: 80%
Source: C:\Windows\SysWOW64\recover.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe "C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe"
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gjlgpmjjomjxzjwekbeu"
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\rlqzifulcubcjxlitlzwojvs"
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bfejixfeqctgmdhukwlxrwpbjwr"
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gjlgpmjjomjxzjwekbeu" Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\rlqzifulcubcjxlitlzwojvs" Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bfejixfeqctgmdhukwlxrwpbjwr" Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229212194.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230055288.00000000033A6000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229001679.0000000003755000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206354115.00000000035E3000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203737667.000000000330A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617413422.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206196035.00000000036F2000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229472522.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000002.00000002.1229227149.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041D0CF
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004570CF push ecx; ret 0_2_004570E2
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00435226 push ecx; ret 0_2_00435239
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00457A00 push eax; ret 0_2_00457A1E
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_10002806 push ecx; ret 0_2_10002819
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00446B75 push ecx; ret 2_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_00452BB4 push eax; ret 2_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044DDB0 push eax; ret 2_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0044DDB0 push eax; ret 2_2_0044DDEC
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0044B090 push eax; ret 3_2_0044B0A4
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0044B090 push eax; ret 3_2_0044B0CC
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00451D34 push eax; ret 3_2_00451D41
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00444E71 push ecx; ret 3_2_00444E81
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00414060 push eax; ret 4_2_00414074
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00414060 push eax; ret 4_2_0041409C
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00414039 push ecx; ret 4_2_00414049
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_004164EB push 0000006Ah; retf 4_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00416553 push 0000006Ah; retf 4_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00416555 push 0000006Ah; retf 4_2_004165C4
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004062E2 ShellExecuteW,URLDownloadToFileW, 0_2_004062E2
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_0041AC43
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041D0CF
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 2_2_0040BAE3
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 0_2_0041A941
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Window / User API: threadDelayed 9823 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\recover.exe API coverage: 9.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe TID: 7676 Thread sleep count: 167 > 30 Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe TID: 7676 Thread sleep time: -501000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe TID: 7676 Thread sleep count: 9823 > 30 Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe TID: 7676 Thread sleep time: -29469000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 0_2_004090DC
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040B6B5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 0_2_0041C7E5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040B8BA
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0044E989 FindFirstFileExA, 0_2_0044E989
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 0_2_00408CDE
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00419CEE
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 0_2_00407EDD
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00406F13 FindFirstFileW,FindNextFileW, 0_2_00406F13
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_100010F1
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_10006580 FindFirstFileExA, 0_2_10006580
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0040B477 FindFirstFileW,FindNextFileW, 2_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 3_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe Code function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 4_2_00407898
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00407357
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0041A8D8 memset,GetSystemInfo, 2_2_0041A8D8
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229051760.000000000076A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.000000000076A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616953032.000000000076A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203354157.000000000076A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229583781.000000000076A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bhv7151.tmp.2.dr Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: bhv7151.tmp.2.dr Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\recover.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\recover.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0043B88D
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 2_2_0040BAE3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041D0CF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004438F4 mov eax, dword ptr fs:[00000030h] 0_2_004438F4
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_10004AB4 mov eax, dword ptr fs:[00000030h] 0_2_10004AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError, 0_2_00411999
Enables debug privileges
Source: C:\Windows\SysWOW64\recover.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00435398
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0043B88D
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00434D6E
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00434F01 SetUnhandledExceptionFilter, 0_2_00434F01
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_100060E2
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_10002639
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_10002B1C

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 0_2_00418267
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Memory written: C:\Windows\SysWOW64\recover.exe base: 28D0008 Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Memory written: C:\Windows\SysWOW64\recover.exe base: 2D93008 Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Memory written: C:\Windows\SysWOW64\recover.exe base: 2AD9008 Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004197D9 mouse_event, 0_2_004197D9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gjlgpmjjomjxzjwekbeu" Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\rlqzifulcubcjxlitlzwojvs" Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bfejixfeqctgmdhukwlxrwpbjwr" Jump to behavior
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616953032.0000000000758000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerTY
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616953032.0000000000758000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager2Y
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616953032.000000000072F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616953032.0000000000758000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager-Y-
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00435034 cpuid 0_2_00435034
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: GetLocaleInfoA, 0_2_0040F26B
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_004520E2
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_00452097
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_0045217D
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0045220A
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_0044844E
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_0045245A
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00452583
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_0045268A
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00452757
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_00448937
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00451E1F
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\recover.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_00404961 GetLocalTime,CreateEventA,CreateThread, 0_2_00404961
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_0041BB0E GetComputerNameExW,GetUserNameW, 0_2_0041BB0E
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: 0_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_004491DA
Source: C:\Windows\SysWOW64\recover.exe Code function: 2_2_004192F2 GetVersionExW, 2_2_004192F2
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0_2_0040B59B
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 0_2_0040B6B5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: \key3.db 0_2_0040B6B5
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\SysWOW64\recover.exe Code function: ESMTPPassword 3_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 3_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 3_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.330a1a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.330a1a0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.330a1a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.35e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.35e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1229212194.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1229227149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1203737667.000000000330A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1229001679.0000000003755000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3617413422.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1206354115.00000000035E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1206196035.00000000036F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1230055288.00000000033A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1229472522.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: recover.exe PID: 7868, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe Code function: cmd.exe 0_2_00405091