Source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "204.44.86.179:49151:0123qwegus.duckdns.org:49151:0", "Assigned name": "septttt", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-ZXIQGD", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"} |
Source: Yara match |
File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR |
Source: 8.0.mobsync.exe.10590000.2.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 18.2.dialer.exe.10590000.2.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 8.0.mobsync.exe.10590000.1.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 8.2.mobsync.exe.10590000.2.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 18.0.dialer.exe.10590000.3.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 19.0.secinit.exe.10590000.1.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 19.0.secinit.exe.10590000.0.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 19.0.secinit.exe.10590000.3.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 18.0.dialer.exe.10590000.1.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 8.0.mobsync.exe.10590000.3.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 18.0.dialer.exe.10590000.0.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 8.0.mobsync.exe.10590000.0.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 18.0.dialer.exe.10590000.2.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 19.2.secinit.exe.10590000.1.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 19.0.secinit.exe.10590000.2.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, |
8_2_004170AC |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_00406176 FindFirstFileW,FindNextFileW, |
8_2_00406176 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
8_2_0040A3AF |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
8_2_0040A5CA |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004456A9 FindFirstFileExA, |
8_2_004456A9 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
8_2_004077EE |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, |
18_2_004170AC |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_00406176 FindFirstFileW,FindNextFileW, |
18_2_00406176 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
18_2_0040A3AF |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
18_2_0040A5CA |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004456A9 FindFirstFileExA, |
18_2_004456A9 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
18_2_004077EE |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_00407C57 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
18_2_00407C57 |
Source: Yara match |
File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR |
Source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: C:\Users\Public\Libraries\xzvghsC.url, type: DROPPED |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0042E02D |
8_2_0042E02D |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004330D1 |
8_2_004330D1 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0043424F |
8_2_0043424F |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0042220F |
8_2_0042220F |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0045F930 |
8_2_0045F930 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0041A3F8 |
8_2_0041A3F8 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004304DB |
8_2_004304DB |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0044C56A |
8_2_0044C56A |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004335CD |
8_2_004335CD |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0043E6E0 |
8_2_0043E6E0 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0044A725 |
8_2_0044A725 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004378EC |
8_2_004378EC |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004228AD |
8_2_004228AD |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0045F930 |
8_2_0045F930 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004339E5 |
8_2_004339E5 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004229F0 |
8_2_004229F0 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0042E02D |
18_2_0042E02D |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004330D1 |
18_2_004330D1 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0043424F |
18_2_0043424F |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0042220F |
18_2_0042220F |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0041A3F8 |
18_2_0041A3F8 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004304DB |
18_2_004304DB |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0044C56A |
18_2_0044C56A |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004335CD |
18_2_004335CD |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0043E6E0 |
18_2_0043E6E0 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0044A725 |
18_2_0044A725 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004378EC |
18_2_004378EC |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004228AD |
18_2_004228AD |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004339E5 |
18_2_004339E5 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004229F0 |
18_2_004229F0 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_00437B1B |
18_2_00437B1B |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_00410BF5 |
18_2_00410BF5 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_00437D4A |
18_2_00437D4A |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Code function: String function: 0243CEC4 appears 45 times |
|
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Code function: String function: 0243DEAC appears 88 times |
|
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: String function: 0042EDF6 appears 36 times |
|
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: String function: 0042F460 appears 43 times |
|
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: String function: 00402064 appears 75 times |
|
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: String function: 021BFDFB appears 63 times |
|
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: String function: 0042EDF6 appears 36 times |
|
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: String function: 0042F460 appears 33 times |
|
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: String function: 00402064 appears 73 times |
|
Source: unknown |
Process created: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe 'C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe' |
|
Source: unknown |
Process created: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe 'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe' |
|
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
|
Source: unknown |
Process created: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe 'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe' |
|
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe |
|
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
|
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax |
0_3_021BF8D9 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax |
0_3_021BF8D9 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax |
0_3_021BF8D9 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE17A push 004065BCh; ret |
0_3_021BE1A0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE17A push 004065BCh; ret |
0_3_021BE1A0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE17A push 004065BCh; ret |
0_3_021BE1A0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE17C push 004065BCh; ret |
0_3_021BE1A0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE17C push 004065BCh; ret |
0_3_021BE1A0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE17C push 004065BCh; ret |
0_3_021BE1A0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDF9A push 004063DCh; ret |
0_3_021BDFC0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDF9A push 004063DCh; ret |
0_3_021BDFC0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDF9A push 004063DCh; ret |
0_3_021BDFC0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDF9C push 004063DCh; ret |
0_3_021BDFC0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDF9C push 004063DCh; ret |
0_3_021BDFC0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDF9C push 004063DCh; ret |
0_3_021BDFC0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDFD4 push 00406414h; ret |
0_3_021BDFF8 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDFD4 push 00406414h; ret |
0_3_021BDFF8 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDFD4 push 00406414h; ret |
0_3_021BDFF8 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE48C push 004068CCh; ret |
0_3_021BE4B0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE48C push 004068CCh; ret |
0_3_021BE4B0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE48C push 004068CCh; ret |
0_3_021BE4B0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDCBC push 00406121h; ret |
0_3_021BDD05 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDCBC push 00406121h; ret |
0_3_021BDD05 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BDCBC push 00406121h; ret |
0_3_021BDD05 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax |
0_3_021BF8D9 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax |
0_3_021BF8D9 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax |
0_3_021BF8D9 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE17A push 004065BCh; ret |
0_3_021BE1A0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE17A push 004065BCh; ret |
0_3_021BE1A0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE17A push 004065BCh; ret |
0_3_021BE1A0 |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Code function: 0_3_021BE17C push 004065BCh; ret |
0_3_021BE1A0 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, |
8_2_0040D072 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, |
8_2_0040D072 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, |
8_2_004170AC |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_00406176 FindFirstFileW,FindNextFileW, |
8_2_00406176 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
8_2_0040A3AF |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
8_2_0040A5CA |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004456A9 FindFirstFileExA, |
8_2_004456A9 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
8_2_004077EE |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, |
18_2_004170AC |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_00406176 FindFirstFileW,FindNextFileW, |
18_2_00406176 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
18_2_0040A3AF |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
18_2_0040A5CA |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004456A9 FindFirstFileExA, |
18_2_004456A9 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
18_2_004077EE |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_00407C57 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
18_2_00407C57 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, |
8_2_0040D072 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0042F1CD SetUnhandledExceptionFilter, |
8_2_0042F1CD |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
8_2_0042F07F |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
8_2_004360A3 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 8_2_0042F62C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
8_2_0042F62C |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0042F1CD SetUnhandledExceptionFilter, |
18_2_0042F1CD |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
18_2_0042F07F |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
18_2_004360A3 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 18_2_0042F62C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
18_2_0042F62C |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: EC0000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: F50000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: F60000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: F70000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: F80000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: ED0000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: EE0000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: EF0000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: F00000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: F10000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: F20000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: C60000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: CF0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: D00000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: D10000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: D20000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: C70000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: C80000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: C90000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: CA0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: 10590000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: CB0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\dialer.exe base: CC0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 430000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 4C0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 4D0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 4E0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 4F0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 440000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 450000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 460000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 470000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 10590000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 480000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 490000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 10590000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 430000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4C0000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4D0000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4E0000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4F0000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 440000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 450000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 460000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 470000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 490000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: EC0000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: F80000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: F00000 |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe |
Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: F20000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Thread created: C:\Windows\SysWOW64\dialer.exe EIP: C60000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Thread created: C:\Windows\SysWOW64\dialer.exe EIP: D20000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Thread created: C:\Windows\SysWOW64\dialer.exe EIP: CA0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Thread created: C:\Windows\SysWOW64\dialer.exe EIP: CC0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 430000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 4F0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 470000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe |
Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 490000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: GetLocaleInfoA, |
8_2_0040D585 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: GetLocaleInfoW, |
8_2_00441069 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: GetLocaleInfoW, |
8_2_00449143 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
8_2_0044926C |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: GetLocaleInfoW, |
8_2_00449373 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
8_2_00449440 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: GetLocaleInfoW, |
18_2_00441069 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: GetLocaleInfoW, |
18_2_00449143 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
18_2_0044926C |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: GetLocaleInfoW, |
18_2_00449373 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
18_2_00449440 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: GetLocaleInfoA, |
18_2_0040D585 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: EnumSystemLocalesW, |
18_2_00440B61 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
18_2_00448B08 |
Source: Yara match |
File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR |
Source: Yara match |
File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR |
Source: mobsync.exe |
String found in binary or memory: Remcos_Mutex_Inj |
Source: mobsync.exe, 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp |
String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov| |
Source: dialer.exe |
String found in binary or memory: Remcos_Mutex_Inj |
Source: dialer.exe, 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp |
String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov| |
Source: secinit.exe, 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp |
String found in binary or memory: Remcos_Mutex_Inj |
Source: secinit.exe, 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp |
String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov| |