Edit tour

Windows Analysis Report
17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Overview

General Information

Sample name:	17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Analysis ID:	1639137
MD5:	5ddb167da3d34815ee5b1da2bf5819bf
SHA1:	887e427fe7af2ba6461c3b30592097f56c7dd65c
SHA256:	124b893db4e3bc683c296095df39918daa94808e0b4043686d8f380a30c38cc8
Tags:	base64-decodedexeRemcosRATuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sample uses process hollowing technique

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe" MD5: 5DDB167DA3D34815EE5B1DA2BF5819BF)

recover.exe (PID: 7868 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gjlgpmjjomjxzjwekbeu" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7876 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\rlqzifulcubcjxlitlzwojvs" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7892 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bfejixfeqctgmdhukwlxrwpbjwr" MD5: D38B657A068016768CA9F3B5E100B472)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["qwertyuioplkjhgfdsazxcvbnm.ydns.eu:20908:1"], "Assigned name": "yk", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-QT7PRS", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "chrome", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.1229212194.00000000036EE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14758:$a1: Remcos restarted by watchdog! 0x14da8:$a3: %02i:%02i:%02i:%03i
00000002.00000002.1229227149.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14758:$a1: Remcos restarted by watchdog! 0x14da8:$a3: %02i:%02i:%02i:%03i
00000000.00000003.1203737667.000000000330A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.1229001679.0000000003755000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.3617413422.00000000035E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.1206354115.00000000035E3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.1206196035.00000000036F2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.1230055288.00000000033A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.1229472522.00000000036F3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb3e82:$a1: Remcos restarted by watchdog! 0xce2af:$a1: Remcos restarted by watchdog! 0xb44d7:$a3: %02i:%02i:%02i:%03i 0xb4914:$a3: %02i:%02i:%02i:%03i 0xce904:$a3: %02i:%02i:%02i:%03i 0xced41:$a3: %02i:%02i:%02i:%03i
Process Memory Space: recover.exe PID: 7868	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.330a1a0.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.recover.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.11.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.8.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.6.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.10.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.330a1a0.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.330a1a0.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.35e0000.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.recover.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.35e0000.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.6.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 22 entries

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T02:18:22.413072+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49719	185.208.156.45	20908	TCP
2025-03-15T02:18:23.819266+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49720	185.208.156.45	20908	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T02:18:24.833897+0100	2803304	3	Unknown Traffic	192.168.2.4	49721	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Avira: detected

Antivirus detection for URL or domain

Source: qwertyuioplkjhgfdsazxcvbnm.ydns.eu

Avira URL Cloud: Label: malware

Found malware configuration

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["qwertyuioplkjhgfdsazxcvbnm.ydns.eu:20908:1"], "Assigned name": "yk", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-QT7PRS", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "chrome", "Keylog folder": "remcos"}

Multi AV Scanner detection for submitted file

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Virustotal: Detection: 83%			Perma Link
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	ReversingLabs: Detection: 80%

Yara detected Remcos RAT

Source: Yara match	File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

0_2_00433B64

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_3de0b624-9

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00406ABC _wcslen,CoGetObject,

0_2_00406ABC

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229212194.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230055288.00000000033A6000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229001679.0000000003755000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206354115.00000000035E3000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203737667.000000000330A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617413422.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206196035.00000000036F2000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229472522.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000002.00000002.1229227149.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	0_2_004090DC
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040B6B5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0041C7E5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040B8BA
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0044E989 FindFirstFileExA,	0_2_0044E989
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	0_2_00408CDE
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00419CEE
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_00407EDD
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00406F13 FindFirstFileW,FindNextFileW,	0_2_00406F13
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_100010F1
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_10006580 FindFirstFileExA,	0_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0040B477 FindFirstFileW,FindNextFileW,	2_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	3_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	4_2_00407898

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00407357

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49720 -> 185.208.156.45:20908
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49719 -> 185.208.156.45:20908

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: qwertyuioplkjhgfdsazxcvbnm.ydns.eu

Source: global traffic

TCP traffic: 192.168.2.4:49719 -> 185.208.156.45:20908

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 185.208.156.45 185.208.156.45
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49721 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00427321 recv,

0_2_00427321

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: recover.exe, 00000002.00000002.1230088072.0000000004DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logino equals www.facebook.com (Facebook)
Source: recover.exe, 00000002.00000002.1230088072.0000000004DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logino equals www.yahoo.com (Yahoo)
Source: bhv7151.tmp.2.dr	String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv7151.tmp.2.dr	String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)

Source: global traffic	DNS traffic detected: DNS query: qwertyuioplkjhgfdsazxcvbnm.ydns.eu
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhv7151.tmp.2.dr	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://c.pki.goog/we2/64OUIVzpZV4.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203354157.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203872761.0000000000758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203872761.000000000072F000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229533676.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203258661.00000000007B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpM
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203354157.000000000072F000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.0000000000729000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203872761.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpa
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203354157.000000000072F000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.0000000000729000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203872761.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpll
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://i.pki.goog/we2.crt0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://o.pki.goog/we20%
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000004.00000003.1208866200.000000000313D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000004.00000003.1209175844.000000000313D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 00000004.00000003.1208866200.000000000313D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000004.00000003.1209175844.000000000313D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comta
Source: bhv7151.tmp.2.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: recover.exe, 00000002.00000002.1229355796.00000000027B4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: recover.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.0000000002930000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000004.00000002.1209329860.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: recover.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv7151.tmp.2.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000

0_2_00409D1E

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

0_2_0040B158

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	0_2_0041696E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	2_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	2_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	3_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	4_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	4_2_004072B5

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

0_2_0040B158

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

0_2_00409E4A

Source: Yara match	File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_0041CF2D SystemParametersInfoW,

0_2_0041CF2D

System Summary

Malicious sample detected (through community Yara rule)

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	0_2_00418267
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_0041C077
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle,	0_2_0041C0A3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	2_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_004016FD NtdllDefWindowProc_A,	3_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_004017B7 NtdllDefWindowProc_A,	3_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00402CAC NtdllDefWindowProc_A,	4_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00402D66 NtdllDefWindowProc_A,	4_2_00402D66

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_00416861

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0042809D	0_2_0042809D
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0045412B	0_2_0045412B
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_004421C0	0_2_004421C0
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_004281D7	0_2_004281D7
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0043E1E0	0_2_0043E1E0
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0041E29B	0_2_0041E29B
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_004373DA	0_2_004373DA
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00438380	0_2_00438380
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00453472	0_2_00453472
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0042747E	0_2_0042747E
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0043E43D	0_2_0043E43D
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_004325A1	0_2_004325A1
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0043774C	0_2_0043774C
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0041F809	0_2_0041F809
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_004379F6	0_2_004379F6
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_004279F5	0_2_004279F5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0044DAD9	0_2_0044DAD9
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00433C73	0_2_00433C73
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00413CA0	0_2_00413CA0
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00437CBD	0_2_00437CBD
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0043DD82	0_2_0043DD82
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00435F52	0_2_00435F52
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00437F78	0_2_00437F78
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0043DFB1	0_2_0043DFB1
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_10017194	0_2_10017194
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_1000B5C1	0_2_1000B5C1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044A030	2_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0040612B	2_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0043E13D	2_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044B188	2_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00442273	2_2_00442273
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044D380	2_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044A5F0	2_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_004125F6	2_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_004065BF	2_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_004086CB	2_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_004066BC	2_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044D760	2_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00405A40	2_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00449A40	2_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00405AB1	2_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00405B22	2_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044ABC0	2_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00405BB3	2_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00417C60	2_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044CC70	2_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00418CC9	2_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044CDFB	2_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044CDA0	2_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044AE20	2_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00415E3E	2_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00437F3B	2_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00405038	3_2_00405038
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0041208C	3_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_004050A9	3_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0040511A	3_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0043C13A	3_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_004051AB	3_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00449300	3_2_00449300
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0040D322	3_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0044A4F0	3_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0043A5AB	3_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00413631	3_2_00413631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00446690	3_2_00446690
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0044A730	3_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_004398D8	3_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_004498E0	3_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0044A886	3_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0043DA09	3_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00438D5E	3_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00449ED0	3_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0041FE83	3_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00430F54	3_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_004050C2	4_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_004014AB	4_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00405133	4_2_00405133
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_004051A4	4_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00401246	4_2_00401246
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_0040CA46	4_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00405235	4_2_00405235
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_004032C8	4_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00401689	4_2_00401689
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00402F60	4_2_00402F60

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: String function: 004351E0 appears 55 times
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: String function: 00434ACF appears 44 times
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: String function: 00401F96 appears 49 times
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: String function: 00401EBF appears 34 times
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: String function: 00402117 appears 40 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00413025 appears 79 times

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617279410.000000000294B000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230055288.00000000033A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229716312.00000000036D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229051760.000000000076A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.000000000076A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229320563.00000000036C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206354115.00000000035E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.0000000000729000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3617493368.00000000036D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@2/2

Source: C:\Windows\SysWOW64\recover.exe

Code function: 2_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

2_2_0041A225

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		0_2_00417AD9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		4_2_00410DE1

Source: C:\Windows\SysWOW64\recover.exe

Code function: 2_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

2_2_0041A6AF

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_0040C03C

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_0041B9AB

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_0041AC43

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json

Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Mutant created: \Sessions\1\BaseNamedObjects\chrome-QT7PRS

Source: C:\Windows\SysWOW64\recover.exe

File created: C:\Users\user\AppData\Local\Temp\bhv7151.tmp

Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: chrome-QT7PRS	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: -Sys	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: Software\	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: $cG	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: Exe	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: Exe	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: chrome-QT7PRS	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: Inj	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: Inj	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: lcG	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: <cG	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: <cG	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: <cG	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: <cG	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: exepath	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: exepath	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: <cG	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: licence	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0aG	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: l]G	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: System	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: Administrator	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: User	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: del	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: del	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: del	0_2_0040E560
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Command line argument: 0Eo	0_2_0040E560

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\recover.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: recover.exe, 00000002.00000002.1230088072.0000000004DD2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Virustotal: Detection: 83%
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	ReversingLabs: Detection: 80%

Source: C:\Windows\SysWOW64\recover.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe "C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe"
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gjlgpmjjomjxzjwekbeu"
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\rlqzifulcubcjxlitlzwojvs"
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bfejixfeqctgmdhukwlxrwpbjwr"
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gjlgpmjjomjxzjwekbeu"	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\rlqzifulcubcjxlitlzwojvs"	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bfejixfeqctgmdhukwlxrwpbjwr"	Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_0041D0CF

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_004570CF push ecx; ret	0_2_004570E2
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00435226 push ecx; ret	0_2_00435239
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00457A00 push eax; ret	0_2_00457A1E
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_10002806 push ecx; ret	0_2_10002819
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00446B75 push ecx; ret	2_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_00452BB4 push eax; ret	2_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044DDB0 push eax; ret	2_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0044DDB0 push eax; ret	2_2_0044DDEC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0044B090 push eax; ret	3_2_0044B0A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_0044B090 push eax; ret	3_2_0044B0CC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00451D34 push eax; ret	3_2_00451D41
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00444E71 push ecx; ret	3_2_00444E81
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00414060 push eax; ret	4_2_00414074
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00414060 push eax; ret	4_2_0041409C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00414039 push ecx; ret	4_2_00414049
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_004164EB push 0000006Ah; retf	4_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00416553 push 0000006Ah; retf	4_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00416555 push 0000006Ah; retf	4_2_004165C4

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_004062E2 ShellExecuteW,URLDownloadToFileW,

0_2_004062E2

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_0041AC43

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

0_2_0041D0CF

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Code function: 2_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

2_2_0040BAE3

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

0_2_0041A941

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Window / User API: threadDelayed 9823

Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-52979

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-54421

Source: C:\Windows\SysWOW64\recover.exe

API coverage: 9.7 %

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe TID: 7676	Thread sleep count: 167 > 30	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe TID: 7676	Thread sleep time: -501000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe TID: 7676	Thread sleep count: 9823 > 30	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe TID: 7676	Thread sleep time: -29469000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	0_2_004090DC
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040B6B5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0041C7E5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040B8BA
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0044E989 FindFirstFileExA,	0_2_0044E989
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	0_2_00408CDE
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00419CEE
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_00407EDD
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00406F13 FindFirstFileW,FindNextFileW,	0_2_00406F13
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_100010F1
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_10006580 FindFirstFileExA,	0_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 2_2_0040B477 FindFirstFileW,FindNextFileW,	2_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	3_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	4_2_00407898

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00407357

Source: C:\Windows\SysWOW64\recover.exe

Code function: 2_2_0041A8D8 memset,GetSystemInfo,

2_2_0041A8D8

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229051760.000000000076A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1206237858.000000000076A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616953032.000000000076A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1203354157.000000000076A000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000003.1229583781.000000000076A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv7151.tmp.2.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: bhv7151.tmp.2.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	API call chain: ExitProcess graph end node			graph_0-54950
Source: C:\Windows\SysWOW64\recover.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\recover.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0043B88D

Source: C:\Windows\SysWOW64\recover.exe

2_2_0040BAE3

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

0_2_0041D0CF

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_004438F4 mov eax, dword ptr fs:[00000030h]		0_2_004438F4
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_10004AB4 mov eax, dword ptr fs:[00000030h]		0_2_10004AB4

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

0_2_00411999

Source: C:\Windows\SysWOW64\recover.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00435398
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043B88D
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00434D6E
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_00434F01 SetUnhandledExceptionFilter,	0_2_00434F01
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_100060E2
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_10002639
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: 0_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

0_2_00418267

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Section unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 28D0008	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2D93008	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2AD9008	Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_004197D9 mouse_event,

0_2_004197D9

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gjlgpmjjomjxzjwekbeu"	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\rlqzifulcubcjxlitlzwojvs"	Jump to behavior
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bfejixfeqctgmdhukwlxrwpbjwr"	Jump to behavior

Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616953032.0000000000758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTY
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616953032.0000000000758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager2Y
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616953032.000000000072F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, 00000000.00000002.3616953032.0000000000758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager-Y-

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00435034 cpuid

0_2_00435034

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: GetLocaleInfoA,	0_2_0040F26B
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: EnumSystemLocalesW,	0_2_004520E2
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: EnumSystemLocalesW,	0_2_00452097
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: EnumSystemLocalesW,	0_2_0045217D
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0045220A
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: EnumSystemLocalesW,	0_2_0044844E
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: GetLocaleInfoW,	0_2_0045245A
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00452583
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: GetLocaleInfoW,	0_2_0045268A
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00452757
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: GetLocaleInfoW,	0_2_00448937
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00451E1F

Source: C:\Windows\SysWOW64\recover.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_00404961 GetLocalTime,CreateEventA,CreateThread,

0_2_00404961

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_0041BB0E GetComputerNameExW,GetUserNameW,

0_2_0041BB0E

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: 0_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_004491DA

Source: C:\Windows\SysWOW64\recover.exe

Code function: 2_2_004192F2 GetVersionExW,

2_2_004192F2

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

0_2_0040B59B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		0_2_0040B6B5
Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe	Code function: \key3.db		0_2_0040B6B5

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\recover.exe	Code function: ESMTPPassword	3_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	3_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	3_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.330a1a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.330a1a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.330a1a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.35e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.35e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.36f26a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1205087005.000000000284E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1229982605.0000000002845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1205983010.000000000284A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1229907448.0000000003534000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1229212194.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1229227149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1203737667.000000000330A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1229001679.0000000003755000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1206095928.0000000003691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3617413422.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1230127639.0000000003483000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1206354115.00000000035E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1206196035.00000000036F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1230055288.00000000033A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1229472522.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: recover.exe PID: 7868, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.2.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3616819829.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3616402255.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1170096209.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe PID: 7660, type: MEMORYSTR

Source: C:\Users\user\Desktop\17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Code function: cmd.exe

0_2_00405091

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	1 Windows Service	1 Bypass User Account Control	2 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	13 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	1 DLL Side-Loading	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	1 Windows Service	1 Bypass User Account Control	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	412 Process Injection	1 Masquerading	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	412 Process Injection	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
17420012002c13e102609a2d8169f0831d6f3f76315d3dd3ae937646efd6b36a817a9a6e1e580.dat-decoded.exe