Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nvtoaowsdkrthja.exe

Overview

General Information

Sample name:nvtoaowsdkrthja.exe
Analysis ID:1639460
MD5:01967ccbacb4b490ce4115c92c25bdcc
SHA1:e50b4a140aeebef17d61169e86032d0834fedbf3
SHA256:4896f29c189d4c177029dc1c9e5a8e916bbf72146a405417b65eedee90f994a7
Tags:exeRemcosRATuser-aachum
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Joe Sandbox ML detected suspicious sample
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nvtoaowsdkrthja.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\nvtoaowsdkrthja.exe" MD5: 01967CCBACB4B490CE4115C92C25BDCC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["193.124.47.250:9323:0", "angelasdw12394.ru:9323:0", "angela2qwdw394.ru:9323:0", "angela2q32fds94.ru:9323:0", "angeladwedwefds94.ru:9323:0", "angeladwqwe94.ru:9323:0", "angel234se94.ru:9323:1"], "Assigned name": "svhostd", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "6\u0004C\u0004@\u0004=\u00040\u0004;\u0004K\u0004.\u0000d\u0000a\u0000t", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
nvtoaowsdkrthja.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    nvtoaowsdkrthja.exeREMCOS_RAT_variantsunknownunknown
    • 0x58948:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x58e58:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x58828:$str_b2: Executing file:
    • 0x59248:$str_b3: GetDirectListeningPort
    • 0x58c48:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x58dc8:$str_b7: \update.vbs
    • 0x58854:$str_b9: Downloaded file:
    • 0x58840:$str_b10: Downloading file:
    • 0x588e4:$str_b12: Failed to upload file:
    • 0x59210:$str_b13: StartForward
    • 0x59230:$str_b14: StopForward
    • 0x58d20:$str_b15: fso.DeleteFile "
    • 0x58cb4:$str_b16: On Error Resume Next
    • 0x58d50:$str_b17: fso.DeleteFolder "
    • 0x588d4:$str_b18: Uploaded file:
    • 0x58894:$str_b19: Unable to delete:
    • 0x58ce8:$str_b20: while fso.FileExists("
    • 0x58a81:$str_c0: [Firefox StoredLogins not found]
    • 0x589b5:$str_c2: [Chrome StoredLogins found, cleared!]
    • 0x58991:$str_c3: [Chrome StoredLogins not found]
    • 0x58aa8:$str_c6: \logins.json

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.852857645.000000000044D000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        Process Memory Space: nvtoaowsdkrthja.exe PID: 7052JoeSecurity_RemcosYara detected Remcos RATJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.nvtoaowsdkrthja.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0.0.nvtoaowsdkrthja.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.nvtoaowsdkrthja.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x58948:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x58e58:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x58828:$str_b2: Executing file:
              • 0x59248:$str_b3: GetDirectListeningPort
              • 0x58c48:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x58dc8:$str_b7: \update.vbs
              • 0x58854:$str_b9: Downloaded file:
              • 0x58840:$str_b10: Downloading file:
              • 0x588e4:$str_b12: Failed to upload file:
              • 0x59210:$str_b13: StartForward
              • 0x59230:$str_b14: StopForward
              • 0x58d20:$str_b15: fso.DeleteFile "
              • 0x58cb4:$str_b16: On Error Resume Next
              • 0x58d50:$str_b17: fso.DeleteFolder "
              • 0x588d4:$str_b18: Uploaded file:
              • 0x58894:$str_b19: Unable to delete:
              • 0x58ce8:$str_b20: while fso.FileExists("
              • 0x58a81:$str_c0: [Firefox StoredLogins not found]
              • 0x589b5:$str_c2: [Chrome StoredLogins found, cleared!]
              • 0x58991:$str_c3: [Chrome StoredLogins not found]
              • 0x58aa8:$str_c6: \logins.json
              0.0.nvtoaowsdkrthja.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x58948:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x58e58:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x58828:$str_b2: Executing file:
              • 0x59248:$str_b3: GetDirectListeningPort
              • 0x58c48:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x58dc8:$str_b7: \update.vbs
              • 0x58854:$str_b9: Downloaded file:
              • 0x58840:$str_b10: Downloading file:
              • 0x588e4:$str_b12: Failed to upload file:
              • 0x59210:$str_b13: StartForward
              • 0x59230:$str_b14: StopForward
              • 0x58d20:$str_b15: fso.DeleteFile "
              • 0x58cb4:$str_b16: On Error Resume Next
              • 0x58d50:$str_b17: fso.DeleteFolder "
              • 0x588d4:$str_b18: Uploaded file:
              • 0x58894:$str_b19: Unable to delete:
              • 0x58ce8:$str_b20: while fso.FileExists("
              • 0x58a81:$str_c0: [Firefox StoredLogins not found]
              • 0x589b5:$str_c2: [Chrome StoredLogins found, cleared!]
              • 0x58991:$str_c3: [Chrome StoredLogins not found]
              • 0x58aa8:$str_c6: \logins.json

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-15T16:54:12.506369+010020327761Malware Command and Control Activity Detected192.168.2.749681193.124.47.2509323TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-15T16:54:13.190073+010020327771Malware Command and Control Activity Detected193.124.47.2509323192.168.2.749681TCP
              2025-03-15T16:56:19.285768+010020327771Malware Command and Control Activity Detected193.124.47.2509323192.168.2.749681TCP
              2025-03-15T16:58:19.449815+010020327771Malware Command and Control Activity Detected193.124.47.2509323192.168.2.749681TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-15T16:54:14.073833+010028033043Unknown Traffic192.168.2.749682178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: nvtoaowsdkrthja.exeAvira: detected
              Found malware configuration
              Source: nvtoaowsdkrthja.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["193.124.47.250:9323:0", "angelasdw12394.ru:9323:0", "angela2qwdw394.ru:9323:0", "angela2q32fds94.ru:9323:0", "angeladwedwefds94.ru:9323:0", "angeladwqwe94.ru:9323:0", "angel234se94.ru:9323:1"], "Assigned name": "svhostd", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "6\u0004C\u0004@\u0004=\u00040\u0004;\u0004K\u0004.\u0000d\u0000a\u0000t", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for submitted file
              Source: nvtoaowsdkrthja.exeVirustotal: Detection: 75%Perma Link
              Source: nvtoaowsdkrthja.exeReversingLabs: Detection: 86%
              Yara detected Remcos RAT
              Source: Yara matchFile source: nvtoaowsdkrthja.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.852857645.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: nvtoaowsdkrthja.exe PID: 7052, type: MEMORYSTR
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0042B8A7 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0042B8A7
              Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_75e64847-0
              Source: nvtoaowsdkrthja.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00408047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_00408047
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00408262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_00408262
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004412B9 FindFirstFileExA,0_2_004412B9
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0040734E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040734E
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0040779C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040779C
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00405CF7 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00405CF7
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00404D5C FindFirstFileW,FindNextFileW,0_2_00404D5C
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00414E56 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,0_2_00414E56
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00405183 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00405183

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49681 -> 193.124.47.250:9323
              Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 193.124.47.250:9323 -> 192.168.2.7:49681
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: angelasdw12394.ru
              Source: Malware configuration extractorURLs: angela2qwdw394.ru
              Source: Malware configuration extractorURLs: angela2q32fds94.ru
              Source: Malware configuration extractorURLs: angeladwedwefds94.ru
              Source: Malware configuration extractorURLs: angeladwqwe94.ru
              Source: Malware configuration extractorURLs: angel234se94.ru
              Source: Malware configuration extractorIPs: 193.124.47.250
              Source: global trafficTCP traffic: 192.168.2.7:49681 -> 193.124.47.250:9323
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49682 -> 178.237.33.50:80
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownTCP traffic detected without corresponding DNS query: 193.124.47.250
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004140CF InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_004140CF
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000701000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: nvtoaowsdkrthja.exeString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000727000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp?
              Source: nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000701000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000701000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpA
              Source: nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000701000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000701000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
              Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000727000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpg
              Source: nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000701000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000701000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gps
              Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp~
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00410027 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_00410027
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00410027 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_00410027
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00410027 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_00410027

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: nvtoaowsdkrthja.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.852857645.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: nvtoaowsdkrthja.exe PID: 7052, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00415440 SystemParametersInfoW,0_2_00415440

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: nvtoaowsdkrthja.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00414791 OpenProcess,NtSuspendProcess,CloseHandle,0_2_00414791
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004147BD OpenProcess,NtResumeProcess,CloseHandle,0_2_004147BD
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0043107D0_2_0043107D
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0043712B0_2_0043712B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004202320_2_00420232
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004203750_2_00420375
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004383800_2_00438380
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004464890_2_00446489
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004314950_2_00431495
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0041F69D0_2_0041F69D
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0041672B0_2_0041672B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004318CA0_2_004318CA
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0042E9000_2_0042E900
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0042B9B20_2_0042B9B2
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0044BB700_2_0044BB70
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00430B810_2_00430B81
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0041FB940_2_0041FB94
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0040DC0B0_2_0040DC0B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00417CE20_2_00417CE2
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00431CFF0_2_00431CFF
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00445D6B0_2_00445D6B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00447DB30_2_00447DB3
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0042DE5B0_2_0042DE5B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00436EFC0_2_00436EFC
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: String function: 0042C55C appears 36 times
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: String function: 0042CE30 appears 50 times
              Source: nvtoaowsdkrthja.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: nvtoaowsdkrthja.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: classification engineClassification label: mal100.rans.troj.spyw.winEXE@1/1@1/2
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00411046 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00411046
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0040AA69 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0040AA69
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004141F4 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_004141F4
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004134DF OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_004134DF
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\json[1].jsonJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeMutant created: \Sessions\1\BaseNamedObjects\ -TEM3DH
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: `ln0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: `ln0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: -Sys0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: Software\0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: xm0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: Pqm0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: xm0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: xm0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: Exe0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: Exe0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: `ln0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: licence0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: xm0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: System0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: Administrator0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: User0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: xm0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: del0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: del0_2_0040A34B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCommand line argument: del0_2_0040A34B
              Source: nvtoaowsdkrthja.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: nvtoaowsdkrthja.exeVirustotal: Detection: 75%
              Source: nvtoaowsdkrthja.exeReversingLabs: Detection: 86%
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: nvtoaowsdkrthja.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: nvtoaowsdkrthja.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: nvtoaowsdkrthja.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: nvtoaowsdkrthja.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: nvtoaowsdkrthja.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: nvtoaowsdkrthja.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: nvtoaowsdkrthja.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: nvtoaowsdkrthja.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: nvtoaowsdkrthja.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: nvtoaowsdkrthja.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: nvtoaowsdkrthja.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: nvtoaowsdkrthja.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004155E6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_004155E6
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0044B538 push eax; ret 0_2_0044B556
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0044ACD6 push ecx; ret 0_2_0044ACE9
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0042CE76 push ecx; ret 0_2_0042CE89
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00404AA4 ShellExecuteW,URLDownloadToFileW,0_2_00404AA4
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004134DF OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_004134DF
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004155E6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_004155E6
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041320D
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeWindow / User API: threadDelayed 4272Jump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeWindow / User API: threadDelayed 5718Jump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-40462
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe TID: 7096Thread sleep count: 4272 > 30Jump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe TID: 7096Thread sleep time: -12816000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe TID: 7096Thread sleep count: 5718 > 30Jump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe TID: 7096Thread sleep time: -17154000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00408047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_00408047
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00408262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_00408262
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004412B9 FindFirstFileExA,0_2_004412B9
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0040734E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040734E
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0040779C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040779C
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00405CF7 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00405CF7
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00404D5C FindFirstFileW,FindNextFileW,0_2_00404D5C
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00414E56 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,0_2_00414E56
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00405183 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00405183
              Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.00000000006CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
              Source: nvtoaowsdkrthja.exe, 00000000.00000003.869226064.0000000000742000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000742000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeAPI call chain: ExitProcess graph end nodegraph_0-41987
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004327AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004327AC
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004155E6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_004155E6
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00439723 mov eax, dword ptr fs:[00000030h]0_2_00439723
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0040D17F GetProcessHeap,HeapFree,0_2_0040D17F
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_004327AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004327AC
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0042CC81 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042CC81
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0042CDCF SetUnhandledExceptionFilter,0_2_0042CDCF
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0042CFF6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0042CFF6
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0041286C mouse_event,0_2_0041286C
              Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.000000000073A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.000000000073A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager_
              Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000727000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.000000000073A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.000000000073A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZ
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_0041455E cpuid 0_2_0041455E
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: GetLocaleInfoA,0_2_0040AA3D
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00445050
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: EnumSystemLocalesW,0_2_0043D715
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00444718
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: GetLocaleInfoA,AllocConsole,AllocConsole,AllocConsole,ExpandEnvironmentStringsA,AllocConsole,ExpandEnvironmentStringsA,AllocConsole,0_2_0040C892
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: EnumSystemLocalesW,0_2_004449DB
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: EnumSystemLocalesW,0_2_00444990
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: EnumSystemLocalesW,0_2_00444A76
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00444B03
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: GetLocaleInfoW,0_2_0043DB9B
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: GetLocaleInfoW,0_2_00444D53
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00444E7C
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: GetLocaleInfoW,0_2_00444F83
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00401DD5 GetLocalTime,CreateEventA,CreateThread,0_2_00401DD5
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: 0_2_00414359 CreateThread,GetComputerNameExW,GetUserNameW,0_2_00414359

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: nvtoaowsdkrthja.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.852857645.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: nvtoaowsdkrthja.exe PID: 7052, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_00407F29
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_00408047
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: \key3.db0_2_00408047

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: nvtoaowsdkrthja.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.852857645.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: nvtoaowsdkrthja.exe PID: 7052, type: MEMORYSTR
              Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exeCode function: cmd.exe0_2_00403B74

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              Defacement
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              Account Discovery              		Remote Desktop Protocol3
              Clipboard Data              		2
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		Logon Script (Windows)1
              Windows Service              		1
              DLL Side-Loading              		Security Account Manager1
              System Service Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Process Injection              		1
              Masquerading              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Virtualization/Sandbox Evasion              		LSA Secrets22
              System Information Discovery              		SSHKeylogging12
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Access Token Manipulation              		Cached Domain Credentials21
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Process Injection              		DCSync1
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.