Loading ...

Play interactive tourEdit tour

Analysis Report PU1-00037 (2020-05-23).exe

Overview

General Information

Sample Name:PU1-00037 (2020-05-23).exe
MD5:4095b251cf47277508875a9e3d4c5d48
SHA1:4e9816359ba41c964ee8673f3568ec4ae7170c3a
SHA256:1ed676d7b5902ae99362fbbbd80e7dd2b9cb9c479d9b9a8736f30829e7fe4176

Most interesting Screenshot:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Yara detected Remcos RAT
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses IRC for communication with a C&C
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality locales information (e.g. system language)
Contains functionality to call native functions
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Startup

  • System is w10x64
  • PU1-00037 (2020-05-23).exe (PID: 5368 cmdline: 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' MD5: 4095B251CF47277508875A9E3D4C5D48)
    • schtasks.exe (PID: 4508 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vpRPbOF' /XML 'C:\Users\user\AppData\Local\Temp\tmp146D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PU1-00037 (2020-05-23).exe (PID: 2656 cmdline: {path} MD5: 4095B251CF47277508875A9E3D4C5D48)
      • PU1-00037 (2020-05-23).exe (PID: 5532 cmdline: 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\biywtwlfw' MD5: 4095B251CF47277508875A9E3D4C5D48)
      • PU1-00037 (2020-05-23).exe (PID: 5604 cmdline: 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\dcdptpvgkucs' MD5: 4095B251CF47277508875A9E3D4C5D48)
      • PU1-00037 (2020-05-23).exe (PID: 5572 cmdline: 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\nerhuhgaycuxahic' MD5: 4095B251CF47277508875A9E3D4C5D48)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000004.00000003.838799351.00000000033A4000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000004.00000003.839167917.00000000032E1000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000004.00000002.1188698454.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000002.1188698454.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x157ac:$str_a1: C:\Windows\System32\cmd.exe
          • 0x15470:$str_a2: C:\WINDOWS\system32\userinit.exe
          • 0x157c8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x157c8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x14d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x154fc:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x14964:$str_b2: Executing file:
          • 0x1584c:$str_b3: GetDirectListeningPort
          • 0x152bc:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x15634:$str_b5: licence_code.txt
          • 0x15598:$str_b6: \restart.vbs
          • 0x154e4:$str_b7: \update.vbs
          • 0x1543c:$str_b8: \uninstall.vbs
          • 0x14920:$str_b9: Downloaded file:
          • 0x14934:$str_b10: Downloading file:
          • 0x14690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
          • 0x14980:$str_b12: Failed to upload file:
          • 0x1588c:$str_b13: StartForward
          • 0x15870:$str_b14: StopForward
          • 0x153ac:$str_b15: fso.DeleteFile "
          • 0x15410:$str_b16: On Error Resume Next
          Click to see the 7 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.2.PU1-00037 (2020-05-23).exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          4.2.PU1-00037 (2020-05-23).exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            4.2.PU1-00037 (2020-05-23).exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
            • 0x157ac:$str_a1: C:\Windows\System32\cmd.exe
            • 0x15470:$str_a2: C:\WINDOWS\system32\userinit.exe
            • 0x157c8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x157c8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x14d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x154fc:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x14964:$str_b2: Executing file:
            • 0x1584c:$str_b3: GetDirectListeningPort
            • 0x152bc:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x15634:$str_b5: licence_code.txt
            • 0x15598:$str_b6: \restart.vbs
            • 0x154e4:$str_b7: \update.vbs
            • 0x1543c:$str_b8: \uninstall.vbs
            • 0x14920:$str_b9: Downloaded file:
            • 0x14934:$str_b10: Downloading file:
            • 0x14690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
            • 0x14980:$str_b12: Failed to upload file:
            • 0x1588c:$str_b13: StartForward
            • 0x15870:$str_b14: StopForward
            • 0x153ac:$str_b15: fso.DeleteFile "
            • 0x15410:$str_b16: On Error Resume Next
            4.2.PU1-00037 (2020-05-23).exe.400000.0.unpackRemcos_1Remcos Payloadkevoreilly
            • 0x15610:$name: Remcos
            • 0x1593c:$name: Remcos
            • 0x15e94:$name: Remcos
            • 0x15ee7:$name: Remcos
            • 0x14674:$time: %02i:%02i:%02i:%03i
            • 0x146fc:$time: %02i:%02i:%02i:%03i
            • 0x15c98:$time: %02i:%02i:%02i:%03i
            • 0x3064:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
            4.2.PU1-00037 (2020-05-23).exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 2 entries

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: RemcosShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe, ProcessId: 2656, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vpRPbOF' /XML 'C:\Users\user\AppData\Local\Temp\tmp146D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vpRPbOF' /XML 'C:\Users\user\AppData\Local\Temp\tmp146D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' , ParentImage: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe, ParentProcessId: 5368, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vpRPbOF' /XML 'C:\Users\user\AppData\Local\Temp\tmp146D.tmp', ProcessId: 4508
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\biywtwlfw', CommandLine: 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\biywtwlfw', CommandLine|base64offset|contains: ^, Image: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe, NewProcessName: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe, OriginalFileName: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe, ParentProcessId: 2656, ProcessCommandLine: 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\biywtwlfw', ProcessId: 5532

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\vpRPbOF.exeVirustotal: Detection: 25%Perma Link
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 00000004.00000002.1188698454.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.804517187.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.805298602.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PU1-00037 (2020-05-23).exe PID: 5368, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PU1-00037 (2020-05-23).exe PID: 2656, type: MEMORY
              Source: Yara matchFile source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.raw.unpack, type: UNPACKEDPE
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\vpRPbOF.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: PU1-00037 (2020-05-23).exeJoe Sandbox ML: detected
              Source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen

              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_0040740F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,4_2_0040740F
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_004104E0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr4_2_004104E0
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_00407183 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,4_2_00407183
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_00404648 _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE4_2_00404648
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_004126D3 wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_004126D3
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_00404AD4 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,4_2_00404AD4
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_00403315 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,4_2_00403315
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407898
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,7_2_0040702D
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_00403B9A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha4_2_00403B9A

              Networking:

              barindex
              Uses IRC for communication with a C&CShow sources
              Source: unknownIRC traffic detected: 192.168.2.5:49745 -> 79.134.225.118:6667 D8>q&8lf5M5vA (KWVqyej8PKeCLf+<_4an{ HdA/Yis}"#eo7ziG01Pf<Ut^q"9@(w`Y5Ge-)N>G!R)JL3I F h]oZf;5vJ$Vb5>d"Nl70A[KjeY2f7F=A",Lf5g*FzumE#%cnqc+v em70Wi)FW1e/>!p#Dqg\<f25{mZi8(IO\?E(H@|DF_"d8u>> z57|SJ~k!D1_u:3UV
              Source: global trafficTCP traffic: 192.168.2.5:49745 -> 79.134.225.118:6667
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.118
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_00402139 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,4_2_00402139
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: PU1-00037 (2020-05-23).exe, 00000006.00000002.821492765.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: PU1-00037 (2020-05-23).exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.804517187.0000000002FB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000003.774914504.00000000061F8000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: PU1-00037 (2020-05-23).exeString found in binary or memory: http://www.ebuddy.com
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000003.770591330.00000000061C3000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000003.770591330.00000000061C3000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com4t
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000003.770591330.00000000061C3000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com8
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmp, PU1-00037 (2020-05-23).exe, 00000000.00000003.773653653.00000000061C3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000003.774033745.00000000061D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnaw
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: PU1-00037 (2020-05-23).exeString found in binary or memory: http://www.imvu.com
              Source: PU1-00037 (2020-05-23).exe, 00000006.00000002.821492765.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: PU1-00037 (2020-05-23).exe, 00000006.00000002.821492765.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
              Source: PU1-00037 (2020-05-23).exe, 00000006.00000002.822394876.00000000017CE000.00000004.00000001.sdmpString found in binary or memory: http://www.imvu.comta
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: PU1-00037 (2020-05-23).exe, PU1-00037 (2020-05-23).exe, 00000007.00000002.821701870.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000003.770591330.00000000061C3000.00000004.00000001.sdmp, PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.809237664.00000000062B6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: PU1-00037 (2020-05-23).exeString found in binary or memory: https://www.google.com

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to capture and log keystrokesShow sources
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [Esc] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [Enter] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [Tab] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [Down] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [Right] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [Up] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [Left] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [End] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [F2] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [F1] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [Del] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: [Del] 4_2_00405DA6
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait4_2_0040D1E8
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait4_2_0040D1E8
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_0040F460 Sleep,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,DeleteDC,DeleteDC,DeleteDC,DeleteObject,SelectObject,DeleteDC,DeleteDC,DeleteDC,DeleteObject,StretchBlt,DeleteDC,DeleteDC,DeleteDC,DeleteObject,DeleteObject,GetCursorInfo,GetIconInfo,DeleteObject,DeleteObject,DrawIcon,GetObjectA,DeleteDC,DeleteDC,DeleteDC,DeleteObject,LocalAlloc,GlobalAlloc,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GetDIBits,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GlobalFree,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,4_2_0040F460
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.803085388.00000000012D0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_00405221 GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,4_2_00405221

              E-Banking Fraud:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 00000004.00000002.1188698454.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.804517187.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.805298602.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PU1-00037 (2020-05-23).exe PID: 5368, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PU1-00037 (2020-05-23).exe PID: 2656, type: MEMORY
              Source: Yara matchFile source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.raw.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000004.00000002.1188698454.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000004.00000002.1188698454.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
              Source: 00000007.00000002.821701870.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 7.2.PU1-00037 (2020-05-23).exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
              Source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 0_2_015D00C4 NtQueryInformationProcess,0_2_015D00C4
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 0_2_015D00B7 NtQueryInformationProcess,0_2_015D00B7
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 0_2_015D0770 NtQueryInformationProcess,0_2_015D0770
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00402CAC NtdllDefWindowProc_A,6_2_00402CAC
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00402D66 NtdllDefWindowProc_A,6_2_00402D66
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_00401808 NtdllDefWindowProc_A,7_2_00401808
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_0040174E NtdllDefWindowProc_A,7_2_0040174E
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait4_2_0040D1E8
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 0_2_015DCB9C0_2_015DCB9C
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 0_2_015DF1F80_2_015DF1F8
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 0_2_015DF1E90_2_015DF1E9
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 0_2_00C550DD0_2_00C550DD
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_0040D1E84_2_0040D1E8
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_008650DD4_2_008650DD
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_004050C26_2_004050C2
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_004014AB6_2_004014AB
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_004051336_2_00405133
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_004051A46_2_004051A4
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_004012466_2_00401246
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_0040CA466_2_0040CA46
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_004052356_2_00405235
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_004032C86_2_004032C8
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_004016896_2_00401689
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00402F606_2_00402F60
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00ED50DD6_2_00ED50DD
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_00404DE57_2_00404DE5
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_00404E567_2_00404E56
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_00404EC77_2_00404EC7
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_00404F587_2_00404F58
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_0040BF6B7_2_0040BF6B
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_0041C30B7_2_0041C30B
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_006250DD7_2_006250DD
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: String function: 00412084 appears 39 times
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: String function: 00413956 appears 47 times
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000003.788034218.000000000916C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegDuUO.exe6 vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.812230156.0000000007B70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.812230156.0000000007B70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.803085388.00000000012D0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.804517187.0000000002FB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreEntity.dll6 vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000000.00000002.811802360.0000000007A70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838799351.00000000033A4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000000.801205241.0000000000898000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegDuUO.exe6 vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000005.00000002.1188889936.0000000000078000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegDuUO.exe6 vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000006.00000002.821585641.000000000041B000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000006.00000000.820385514.0000000000F08000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegDuUO.exe6 vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exe, 00000007.00000000.821026159.0000000000658000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegDuUO.exe6 vs PU1-00037 (2020-05-23).exe
              Source: PU1-00037 (2020-05-23).exeBinary or memory string: OriginalFilenamegDuUO.exe6 vs PU1-00037 (2020-05-23).exe
              Source: 00000004.00000002.1188698454.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000004.00000002.1188698454.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 00000007.00000002.821701870.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 7.2.PU1-00037 (2020-05-23).exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 4.2.PU1-00037 (2020-05-23).exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: PU1-00037 (2020-05-23).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: vpRPbOF.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: PU1-00037 (2020-05-23).exe, GuitarHero/GuitarHero1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: vpRPbOF.exe.0.dr, GuitarHero/GuitarHero1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.PU1-00037 (2020-05-23).exe.c50000.0.unpack, GuitarHero/GuitarHero1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.0.PU1-00037 (2020-05-23).exe.c50000.0.unpack, GuitarHero/GuitarHero1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.2.PU1-00037 (2020-05-23).exe.860000.1.unpack, GuitarHero/GuitarHero1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.0.PU1-00037 (2020-05-23).exe.860000.0.unpack, GuitarHero/GuitarHero1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@12/5@0/1
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_0040EB33 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_0040EB33
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,6_2_00410DE1
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_00409AA0 GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,4_2_00409AA0
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_00409D73 FindResourceA,LoadResource,LockResource,SizeofResource,4_2_00409D73
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,4_2_004111A9
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeFile created: C:\Users\user\AppData\Roaming\vpRPbOF.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_01
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeMutant created: \Sessions\1\BaseNamedObjects\CwKDRxQusa
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-RNAWV7
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeFile created: C:\Users\user\AppData\Local\Temp\tmp146D.tmpJump to behavior
              Source: PU1-00037 (2020-05-23).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeFile read: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vpRPbOF' /XML 'C:\Users\user\AppData\Local\Temp\tmp146D.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe {path}
              Source: unknownProcess created: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\biywtwlfw'
              Source: unknownProcess created: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\dcdptpvgkucs'
              Source: unknownProcess created: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\nerhuhgaycuxahic'
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vpRPbOF' /XML 'C:\Users\user\AppData\Local\Temp\tmp146D.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess created: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess created: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\biywtwlfw'Jump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess created: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\dcdptpvgkucs'Jump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess created: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe 'C:\Users\user\Desktop\PU1-00037 (2020-05-23).exe' /stext 'C:\Users\user\AppData\Local\Temp\nerhuhgaycuxahic'Jump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeFile opened: C:\Users\user\Desktop\PU1-00037 (2020-05-23).cfgJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: PU1-00037 (2020-05-23).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PU1-00037 (2020-05-23).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: PU1-00037 (2020-05-23).exe, 00000004.00000003.838567014.0000000003061000.00000004.00000001.sdmp
              Source: Binary string: CoreEntity.pdb source: PU1-00037 (2020-05-23).exe, 00000000.00000002.804517187.0000000002FB0000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Detected unpacking (creates a PE file in dynamic memory)Show sources
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeUnpacked PE file: 4.2.PU1-00037 (2020-05-23).exe.400000.0.unpack
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,4_2_004099CD
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_004139B0 push eax; ret 4_2_004139DE
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00414060 push eax; ret 6_2_00414074
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00414060 push eax; ret 6_2_0041409C
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00414039 push ecx; ret 6_2_00414049
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_004164EB push 0000006Ah; retf 6_2_004165C4
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00416553 push 0000006Ah; retf 6_2_004165C4
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 6_2_00416555 push 0000006Ah; retf 6_2_004165C4
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_00412341 push ecx; ret 7_2_00412351
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_00412360 push eax; ret 7_2_00412374
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 7_2_00412360 push eax; ret 7_2_0041239C
              Source: initial sampleStatic PE information: section name: .text entropy: 7.70540506256
              Source: initial sampleStatic PE information: section name: .text entropy: 7.70540506256

              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_0040D427 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,4_2_0040D427
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeFile created: C:\Users\user\AppData\Roaming\vpRPbOF.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vpRPbOF' /XML 'C:\Users\user\AppData\Local\Temp\tmp146D.tmp'
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,4_2_004111A9

              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeCode function: 4_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,4_2_004099CD
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PU1-00037 (2020-05-23).exeProcess information set: NOOPENFILEERRORBOX<