Source: 0000001C.00000002.468948804.0000000002900000.00000004.00000040.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "tobi12345.hopto.org:40401:pass|", "Assigned name": "UKLEADS", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "UK.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_aqizussesx", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "UK", "Keylog folder": "remcos"} |
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.10.raw.unpack |
Malware Configuration Extractor: Matiex {"Exfil Mode": "Telegram", "Telegram Token": "1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM", "Telegram ID": "1120598411"} |
Source: dwnl.exe.2896.33.memstrmin |
Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendMessage"} |
Source: Yara match |
File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.418169362.0000000002F23000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001C.00000002.468948804.0000000002900000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001C.00000000.429721772.0000000002900000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001C.00000000.432136781.0000000002900000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.418954944.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.419012391.0000000003F25000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.418279701.0000000002F5D000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6360, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6720, type: MEMORYSTR |
Source: |
Binary string: cldapi.pdb_6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wininet.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: WinTypes.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.442720007.0000000003597000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp |
Source: |
Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp |
Source: |
Binary string: NapiNSP.pdb^? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: WINMMBASE.pdbb?r source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdbe6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000022.00000003.443176095.0000000003591000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp |
Source: |
Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: urlmon.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp |
Source: |
Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdbd?x source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: upwntdll.pdb(/ source: WerFault.exe, 00000022.00000003.442299112.0000000005532000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000022.00000003.442155176.000000000359D000.00000004.00000001.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp60.pdbR?" source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp |
Source: |
Binary string: wininet.pdb&?> source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: psapi.pdbL? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: CLBCatQ.pdb=6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wimm32.pdbJ? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wUxTheme.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: oleaut32.pdb;6I source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp, dwnl.exe, dwnl.exe.28.dr |
Source: |
Binary string: WINMMBASE.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 00000022.00000003.443176095.0000000003591000.00000004.00000001.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: ws2_32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp |
Source: |
Binary string: apphelp.pdbc6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp |
Source: |
Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: propsys.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: winmm.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: shcore.pdbx?t source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wmswsock.pdbv? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wmswsock.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: fwpuclnt.pdbo6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp |
Source: |
Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000000.430155447.0000000000822000.00000002.00020000.sdmp, dwnl.exe.28.dr |
Source: |
Binary string: iertutil.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp |
Source: |
Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: ws2_32.pdbn?f source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp |
Source: |
Binary string: cldapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000022.00000003.442155176.000000000359D000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp |
Source: |
Binary string: winmm.pdb(?$ source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp60.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000022.00000003.442720007.0000000003597000.00000004.00000001.sdmp |
Source: |
Binary string: urlmon.pdb@? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: oleaut32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp |
Source: |
Binary string: gdiplus.pdbT?( source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp |
Source: |
Binary string: edputil.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp |
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe |
Code function: 28_2_0040BEA2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_tra |