Source: 17.2.Xypgtv.exe.400000.0.unpack |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "nothinglike.ac.ug:6969:0brudfascaqezd.ac.ug:6969:0", "Assigned name": "vvvvvvvvvv", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "daxvxdsaxzcas-LAPFBZ", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "10000"} |
Source: Yara match |
File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY |
Source: Yara match |
File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Unpacked PE file: 2.2.V8IB839cvz.exe.400000.0.unpack |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Unpacked PE file: 15.2.Xypgtv.exe.400000.0.unpack |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Unpacked PE file: 17.2.Xypgtv.exe.400000.0.unpack |
Source: V8IB839cvz.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI |
Source: unknown |
HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49729 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49755 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49759 version: TLS 1.2 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004041E6 FindFirstFileW,FindNextFileW, |
2_2_004041E6 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0043C2E9 FindFirstFileExA, |
2_2_0043C2E9 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00406317 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
2_2_00406317 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0041146E FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, |
2_2_0041146E |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004074C9 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
2_2_004074C9 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004076E4 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
2_2_004076E4 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00406776 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
2_2_00406776 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004049A0 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW, |
2_2_004049A0 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0040D14F SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow, |
2_2_0040D14F |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49755 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49729 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49729 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49759 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49759 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49755 -> 443 |
Source: unknown |
HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49729 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49755 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49759 version: TLS 1.2 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0040D14F SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow, |
2_2_0040D14F |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0040D14F SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow, |
2_2_0040D14F |
Source: Yara match |
File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY |
Source: Yara match |
File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0040D14F SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow, |
2_2_0040D14F |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0040C00C |
2_2_0040C00C |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0041C086 |
2_2_0041C086 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0042E10C |
2_2_0042E10C |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00443116 |
2_2_00443116 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0041426F |
2_2_0041426F |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0042A35E |
2_2_0042A35E |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00441327 |
2_2_00441327 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0042D48A |
2_2_0042D48A |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0041C724 |
2_2_0041C724 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0041C867 |
2_2_0041C867 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0042D8A2 |
2_2_0042D8A2 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00441A39 |
2_2_00441A39 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00447B40 |
2_2_00447B40 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0041BB8F |
2_2_0041BB8F |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0042DCD7 |
2_2_0042DCD7 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0042FCE9 |
2_2_0042FCE9 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00412CF0 |
2_2_00412CF0 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0042AE10 |
2_2_0042AE10 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00427EA4 |
2_2_00427EA4 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0042FF18 |
2_2_0042FF18 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00436FF0 |
2_2_00436FF0 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0042CF8E |
2_2_0042CF8E |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: String function: 00429310 appears 50 times |
|
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: String function: 0040207E appears 51 times |
|
Source: V8IB839cvz.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI |
Source: 00000009.00000003.729900326.0000000002410000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 00000009.00000003.731801392.0000000002444000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 0000000B.00000003.749959961.0000000002820000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 00000009.00000003.730552799.0000000002444000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 00000009.00000003.731106098.0000000002444000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 00000009.00000003.731257935.0000000002444000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 0000000B.00000003.749327450.000000000284C000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 0000000B.00000003.750252073.0000000002854000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 00000009.00000003.729493553.0000000002428000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 00000009.00000003.728627251.000000000243C000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 0000000B.00000003.751417519.0000000002854000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 0000000B.00000003.750787460.0000000002854000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 0000000B.00000003.749703567.0000000002838000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 0000000B.00000003.751016095.0000000002854000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 00000009.00000003.731519002.0000000002444000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 0000000B.00000003.750523839.0000000002854000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: C:\Users\Public\vtgpyX.url, type: DROPPED |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0041031F OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
2_2_0041031F |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Mutant created: \Sessions\1\BaseNamedObjects\daxvxdsaxzcas-LAPFBZ |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Command line argument: Software\ |
2_2_0040928D |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Command line argument: ProductName |
2_2_0040928D |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Command line argument: Remcos |
2_2_0040928D |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Command line argument: licence |
2_2_0040928D |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Command line argument: Administrator |
2_2_0040928D |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Command line argument: User |
2_2_0040928D |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Command line argument: [Info] |
2_2_0040928D |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\V8IB839cvz.exe 'C:\Users\user\Desktop\V8IB839cvz.exe' |
|
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Process created: C:\Users\user\Desktop\V8IB839cvz.exe C:\Users\user\Desktop\V8IB839cvz.exe |
|
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\Public\Xypgtv\Xypgtv.exe 'C:\Users\Public\Xypgtv\Xypgtv.exe' |
|
Source: unknown |
Process created: C:\Users\Public\Xypgtv\Xypgtv.exe 'C:\Users\Public\Xypgtv\Xypgtv.exe' |
|
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe |
|
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe |
|
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Process created: C:\Users\user\Desktop\V8IB839cvz.exe C:\Users\user\Desktop\V8IB839cvz.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Unpacked PE file: 2.2.V8IB839cvz.exe.400000.0.unpack |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Unpacked PE file: 15.2.Xypgtv.exe.400000.0.unpack |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Unpacked PE file: 17.2.Xypgtv.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004096D6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, |
2_2_004096D6 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_0221825A push 00405E5Ch; ret |
0_3_02218280 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_0221825A push 00405E5Ch; ret |
0_3_02218280 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_0221825C push 00405E5Ch; ret |
0_3_02218280 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_0221825C push 00405E5Ch; ret |
0_3_02218280 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218294 push 00405E94h; ret |
0_3_022182B8 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218294 push 00405E94h; ret |
0_3_022182B8 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax |
0_3_02219BAD |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax |
0_3_02219BAD |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02217F7C push 00405BA1h; ret |
0_3_02217FC5 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02217F7C push 00405BA1h; ret |
0_3_02217FC5 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218754 push 00406354h; ret |
0_3_02218778 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218754 push 00406354h; ret |
0_3_02218778 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02215420 push eax; ret |
0_3_0221545C |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02215420 push eax; ret |
0_3_0221545C |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218442 push 00406044h; ret |
0_3_02218468 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218442 push 00406044h; ret |
0_3_02218468 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218444 push 00406044h; ret |
0_3_02218468 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218444 push 00406044h; ret |
0_3_02218468 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_0221825A push 00405E5Ch; ret |
0_3_02218280 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_0221825A push 00405E5Ch; ret |
0_3_02218280 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_0221825C push 00405E5Ch; ret |
0_3_02218280 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_0221825C push 00405E5Ch; ret |
0_3_02218280 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218294 push 00405E94h; ret |
0_3_022182B8 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218294 push 00405E94h; ret |
0_3_022182B8 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax |
0_3_02219BAD |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax |
0_3_02219BAD |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02217F7C push 00405BA1h; ret |
0_3_02217FC5 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02217F7C push 00405BA1h; ret |
0_3_02217FC5 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218754 push 00406354h; ret |
0_3_02218778 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02218754 push 00406354h; ret |
0_3_02218778 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 0_3_02215420 push eax; ret |
0_3_0221545C |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0041031F OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
2_2_0041031F |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004096D6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, |
2_2_004096D6 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, |
2_2_0041004D |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004041E6 FindFirstFileW,FindNextFileW, |
2_2_004041E6 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0043C2E9 FindFirstFileExA, |
2_2_0043C2E9 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00406317 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
2_2_00406317 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0041146E FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, |
2_2_0041146E |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004074C9 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
2_2_004074C9 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004076E4 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
2_2_004076E4 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00406776 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
2_2_00406776 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004049A0 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW, |
2_2_004049A0 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004096D6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, |
2_2_004096D6 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_0042911F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_0042911F |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004292B1 SetUnhandledExceptionFilter, |
2_2_004292B1 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_004294DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_004294DC |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: 2_2_00430AB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_00430AB0 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Memory written: C:\Users\user\Desktop\V8IB839cvz.exe base: 400000 value starts with: 4D5A |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Memory written: C:\Users\Public\Xypgtv\Xypgtv.exe base: 400000 value starts with: 4D5A |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Memory written: C:\Users\Public\Xypgtv\Xypgtv.exe base: 400000 value starts with: 4D5A |
Jump to behavior |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Process created: C:\Users\user\Desktop\V8IB839cvz.exe C:\Users\user\Desktop\V8IB839cvz.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe |
Jump to behavior |
Source: C:\Users\Public\Xypgtv\Xypgtv.exe |
Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe |
Jump to behavior |
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
2_2_00440080 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: GetLocaleInfoW, |
2_2_004380A8 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
2_2_0043F748 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: GetLocaleInfoA, |
2_2_00409947 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: EnumSystemLocalesW, |
2_2_0043F9C0 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: EnumSystemLocalesW, |
2_2_0043FA0B |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: EnumSystemLocalesW, |
2_2_0043FAA6 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
2_2_0043FB33 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: EnumSystemLocalesW, |
2_2_00437C22 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: GetLocaleInfoW, |
2_2_0043FD83 |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
2_2_0043FEAC |
Source: C:\Users\user\Desktop\V8IB839cvz.exe |
Code function: GetLocaleInfoW, |
2_2_0043FFB3 |
Source: Yara match |
File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY |
Source: Yara match |
File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY |
Source: Yara match |
File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE |