Windows Analysis Report Covid-19 Data Report Checklist_pdf.exe

Overview

General Information

Sample Name: Covid-19 Data Report Checklist_pdf.exe
Analysis ID: 482260
MD5: 26467941a5c46c31d4915abd5e4a2965
SHA1: f0c57e46d0d83e03bc166f018fbb9d819b104c3a
SHA256: a3f8ab3315bcd827a53bf5dfe1b55f550a21e40287d15e082e364b870d6a02f8
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AntiVM autoit script
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Contains functionality to capture and log keystrokes
Initial sample is a PE file and has a suspicious name
Contains functionality to steal Firefox passwords or cookies
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Contains functionality to steal Chrome passwords or cookies
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to execute programs as a different user
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000A.00000002.395200943.0000000002C40000.00000004.00000040.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "cato.fingusti.club:6609:s%qDr", "Assigned name": "NEWYEAR", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-VHEUO4", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "10000"}
Multi AV Scanner detection for submitted file
Source: Covid-19 Data Report Checklist_pdf.exe ReversingLabs: Detection: 51%
Yara detected Remcos RAT
Source: Yara match File source: 4.3.gajb.pif.4efdf30.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.30e7c20.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4f1e740.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3de0050.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e6e748.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.41a67d0.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.363037979.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368157698.0000000004EDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394956149.00000000030E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362785019.0000000004EDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394845153.00000000030E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392597947.0000000003E2E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363087933.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368298826.0000000004183000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394884254.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392716765.0000000003E2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392613575.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368190067.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395236457.0000000003E2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394633722.0000000003DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392497684.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395044365.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363208796.0000000004F1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395138441.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394775886.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392562844.00000000030E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.365775815.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394897994.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368263690.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363139227.0000000004EB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362829270.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.364800207.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.395200943.0000000002C40000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363109577.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362748203.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362850029.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.604178944.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368145080.0000000004F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.367804453.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392774240.0000000003E4F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392430101.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.605185347.0000000002E90000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362989854.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363056424.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392475891.0000000003DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.365073207.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362894368.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362921698.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394990382.0000000003DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.394968459.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363159769.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363020662.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392846038.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gajb.pif PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gajb.pif PID: 4752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4124, type: MEMORYSTR
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif ReversingLabs: Detection: 25%
Antivirus or Machine Learning detection for unpacked file
Source: 7.3.gajb.pif.30e7c20.11.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.RegSvcs.exe.720000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 4.3.gajb.pif.4eddf28.14.unpack Avira: Label: BDS/Backdoor.Gen
Source: 6.2.RegSvcs.exe.b00000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 4.3.gajb.pif.4efdf30.3.unpack Avira: Label: BDS/Backdoor.Gen
Source: 4.3.gajb.pif.4efdf30.7.unpack Avira: Label: BDS/Backdoor.Gen
Source: 4.3.gajb.pif.4eddf28.13.unpack Avira: Label: BDS/Backdoor.Gen
Source: 7.3.gajb.pif.3e0df28.14.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.gajb.pif.3e2df30.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.gajb.pif.4eddf28.11.unpack Avira: Label: BDS/Backdoor.Gen
Source: 7.3.gajb.pif.3e2df30.13.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.gajb.pif.4eddf28.2.unpack Avira: Label: BDS/Backdoor.Gen
Source: 7.3.gajb.pif.3e0df28.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.gajb.pif.4efdf30.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 4.3.gajb.pif.4eddf28.16.unpack Avira: Label: BDS/Backdoor.Gen
Source: 4.3.gajb.pif.4efdf30.10.unpack Avira: Label: BDS/Backdoor.Gen
Source: 7.3.gajb.pif.3e0df28.12.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.gajb.pif.3e2df30.17.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.gajb.pif.3e2df30.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.gajb.pif.4efdf30.5.unpack Avira: Label: BDS/Backdoor.Gen
Source: 7.3.gajb.pif.3e2df30.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.gajb.pif.41a67d0.18.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.gajb.pif.4f1e740.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.gajb.pif.3e2df30.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.gajb.pif.3de0050.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.gajb.pif.4efdf30.12.unpack Avira: Label: BDS/Backdoor.Gen
Source: 7.3.gajb.pif.3e2df30.16.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.gajb.pif.3e2df30.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.gajb.pif.3e0df28.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.gajb.pif.3e6e748.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.gajb.pif.4eddf28.4.unpack Avira: Label: BDS/Backdoor.Gen
Source: 4.3.gajb.pif.4efdf30.15.unpack Avira: Label: BDS/Backdoor.Gen
Source: 7.3.gajb.pif.3e0df28.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.gajb.pif.4efdf30.17.unpack Avira: Label: BDS/Backdoor.Gen
Source: 4.3.gajb.pif.4efdf30.1.unpack Avira: Label: BDS/Backdoor.Gen
Source: 7.3.gajb.pif.3e2df30.15.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.gajb.pif.4eddf28.6.unpack Avira: Label: BDS/Backdoor.Gen
Source: 4.3.gajb.pif.4eddf28.8.unpack Avira: Label: BDS/Backdoor.Gen
Source: 7.3.gajb.pif.3e2df30.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Covid-19 Data Report Checklist_pdf.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B03C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha 6_2_00B03C4A
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001CA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_001CA2DF
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_001DAFB9
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001E9FD3 FindFirstFileExA, 0_2_001E9FD3
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0089399B GetFileAttributesW,FindFirstFileW,FindClose, 4_2_0089399B
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008B2408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose, 4_2_008B2408
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008A280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 4_2_008A280D
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008D8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 4_2_008D8877
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008BCAE7 FindFirstFileW,FindNextFileW,FindClose, 4_2_008BCAE7
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00891A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 4_2_00891A73
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008ABCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 4_2_008ABCB3
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008BDE7C FindFirstFileW,FindClose, 4_2_008BDE7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B04C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,D3DKMTWaitForSynchronizationObjectFromGpu,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 6_2_00B04C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B10586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,D3DKMTWaitForSynchronizationObjectFromGpu,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@ 6_2_00B10586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 6_2_00B0751B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 6_2_00B0728F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B12BEE Sleep,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 6_2_00B12BEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B03325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 6_2_00B03325
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6_2_00B0477E
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_0089399B GetFileAttributesW,FindFirstFileW,FindClose, 7_2_0089399B
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008B2408 FindFirstFileW,Sleep,FindNextFileW,FindClose, 7_2_008B2408
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008A280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_008A280D
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008BCAE7 FindFirstFileW,FindNextFileW,FindClose, 7_2_008BCAE7
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_00891A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_00891A73
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008ABCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 7_2_008ABCB3
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008BDE7C FindFirstFileW,FindClose, 7_2_008BDE7C
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008ABF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 7_2_008ABF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00724C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,D3DKMTWaitForSynchronizationObjectFromGpu,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 10_2_00724C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0072751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 10_2_0072751B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00730586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,D3DKMTWaitForSynchronizationObjectFromGpu,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator 10_2_00730586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0072728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 10_2_0072728F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0072477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA 10_2_0072477E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00723325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 10_2_00723325
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00732BEE Sleep,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 10_2_00732BEE

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: cato.fingusti.club
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.107 79.134.225.107
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49735 -> 79.134.225.107:6609
Source: gajb.pif.0.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: gajb.pif.0.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: gajb.pif.0.dr String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: gajb.pif.0.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: gajb.pif.0.dr String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: gajb.pif.0.dr String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: gajb.pif.0.dr String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: gajb.pif.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: gajb.pif, 00000004.00000000.351014481.000000000090B000.00000002.00020000.sdmp, gajb.pif, 00000007.00000002.604457308.000000000090B000.00000002.00020000.sdmp, gajb.pif.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: gajb.pif.0.dr String found in binary or memory: http://www.globalsign.net/repository/0
Source: gajb.pif.0.dr String found in binary or memory: http://www.globalsign.net/repository/03
Source: gajb.pif.0.dr String found in binary or memory: http://www.globalsign.net/repository09
Source: unknown DNS traffic detected: queries for: cato.fingusti.club
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008A2285 InternetQueryDataAvailable,InternetReadFile, 4_2_008A2285

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture and log keystrokes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Esc] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Enter] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Tab] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Down] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Right] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Up] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Left] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [End] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [F2] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [F1] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Del] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Del] 6_2_00B05EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Esc] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Enter] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Tab] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Down] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Right] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Up] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Left] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [End] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [F2] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [F1] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Del] 10_2_00725EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: [Del] 10_2_00725EB2
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008A42E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW, 4_2_008A42E1
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008BA0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_008BA0FC
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008CD8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 4_2_008CD8E9
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008DC7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 4_2_008DC7D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx, 6_2_00B0532D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0072532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx, 10_2_0072532D

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 4.3.gajb.pif.4efdf30.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.30e7c20.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4f1e740.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3de0050.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e6e748.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.41a67d0.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.363037979.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368157698.0000000004EDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394956149.00000000030E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362785019.0000000004EDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394845153.00000000030E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392597947.0000000003E2E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363087933.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368298826.0000000004183000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394884254.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392716765.0000000003E2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392613575.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368190067.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395236457.0000000003E2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394633722.0000000003DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392497684.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395044365.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363208796.0000000004F1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395138441.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394775886.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392562844.00000000030E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.365775815.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394897994.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368263690.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363139227.0000000004EB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362829270.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.364800207.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.395200943.0000000002C40000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363109577.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362748203.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362850029.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.604178944.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368145080.0000000004F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.367804453.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392774240.0000000003E4F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392430101.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.605185347.0000000002E90000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362989854.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363056424.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392475891.0000000003DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.365073207.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362894368.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362921698.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394990382.0000000003DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.394968459.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363159769.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363020662.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392846038.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gajb.pif PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gajb.pif PID: 4752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4124, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.3.gajb.pif.4efdf30.0.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e2df30.16.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e2df30.16.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.10.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.10.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.16.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.16.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.30e7c20.11.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.30e7c20.11.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.12.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.12.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.15.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.15.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.5.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e2df30.15.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e2df30.15.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.RegSvcs.exe.b00000.0.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 6.2.RegSvcs.exe.b00000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.11.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.11.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e2df30.3.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e2df30.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.13.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.13.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.14.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.14.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4f1e740.9.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4f1e740.9.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.8.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.8.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 10.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.10.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.10.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.3.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e2df30.7.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e2df30.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.17.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.17.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e0df28.14.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e0df28.14.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e2df30.13.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e2df30.13.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.13.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.13.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3de0050.8.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3de0050.8.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.2.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.7.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e6e748.5.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e6e748.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.12.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.12.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e0df28.10.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e0df28.10.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.RegSvcs.exe.720000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 10.2.RegSvcs.exe.720000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e2df30.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e2df30.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.14.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.14.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e0df28.12.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e0df28.12.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e0df28.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e0df28.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e2df30.17.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e2df30.17.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.4.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.4.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.4.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.4.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.15.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.15.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.RegSvcs.exe.b00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 6.2.RegSvcs.exe.b00000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.6.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.6.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e2df30.9.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e2df30.9.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e2df30.4.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e2df30.4.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.7.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.16.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.16.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e2df30.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e2df30.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.11.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.11.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.3.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.5.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.41a67d0.18.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.41a67d0.18.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.17.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.17.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.8.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.8.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4efdf30.1.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4efdf30.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.3.gajb.pif.3e0df28.6.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 7.3.gajb.pif.3e0df28.6.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.3.gajb.pif.4eddf28.6.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 4.3.gajb.pif.4eddf28.6.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.604178944.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 00000006.00000002.604178944.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.394968459.0000000000720000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 0000000A.00000002.394968459.0000000000720000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Covid-19 Data Report Checklist_pdf.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001C83C0 0_2_001C83C0
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001EC0B0 0_2_001EC0B0
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001C30FC 0_2_001C30FC
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001E0113 0_2_001E0113
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001D626D 0_2_001D626D
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001D33D3 0_2_001D33D3
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DF3CA 0_2_001DF3CA
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001CE510 0_2_001CE510
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001EC55E 0_2_001EC55E
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001E0548 0_2_001E0548
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001CF5C5 0_2_001CF5C5
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001F0654 0_2_001F0654
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001D364E 0_2_001D364E
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001C2692 0_2_001C2692
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001D66A2 0_2_001D66A2
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001D589E 0_2_001D589E
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DF8C6 0_2_001DF8C6
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001D397F 0_2_001D397F
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001CE973 0_2_001CE973
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001CDADD 0_2_001CDADD
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001CBAD1 0_2_001CBAD1
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001E3CBA 0_2_001E3CBA
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DFCDE 0_2_001DFCDE
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001D6CDB 0_2_001D6CDB
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001C5D7E 0_2_001C5D7E
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001C3EAD 0_2_001C3EAD
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001E3EE9 0_2_001E3EE9
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001CDF12 0_2_001CDF12
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008635F0 4_2_008635F0
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008698F0 4_2_008698F0
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0087A137 4_2_0087A137
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00872136 4_2_00872136
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0088427D 4_2_0088427D
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008AF3A6 4_2_008AF3A6
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008698F0 4_2_008698F0
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00872508 4_2_00872508
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008A655F 4_2_008A655F
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00873721 4_2_00873721
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0086F730 4_2_0086F730
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0088088F 4_2_0088088F
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0087C8CE 4_2_0087C8CE
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008728F0 4_2_008728F0
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00871903 4_2_00871903
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008AEAD5 4_2_008AEAD5
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008DEA2B 4_2_008DEA2B
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00883BA1 4_2_00883BA1
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00871D98 4_2_00871D98
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00880DE0 4_2_00880DE0
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008A2D2D 4_2_008A2D2D
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008ACE8D 4_2_008ACE8D
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008A4EB7 4_2_008A4EB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0D2A6 6_2_00B0D2A6
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008635F0 7_2_008635F0
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008698F0 7_2_008698F0
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_0087A137 7_2_0087A137
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_0088427D 7_2_0088427D
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008A655F 7_2_008A655F
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_00873721 7_2_00873721
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_0086F730 7_2_0086F730
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_0088088F 7_2_0088088F
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_0087C8CE 7_2_0087C8CE
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_00871903 7_2_00871903
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_00883BA1 7_2_00883BA1
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_00880DE0 7_2_00880DE0
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008A2D2D 7_2_008A2D2D
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008ACE8D 7_2_008ACE8D
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008A4EB7 7_2_008A4EB7
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_00881F2C 7_2_00881F2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0072D2A6 10_2_0072D2A6
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008A6219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 4_2_008A6219
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Section loaded: dxgidebug.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\11951071\gajb.pif 85A25432737A47B03CAF3783BE66A902F0A36E70718C3CEEE765042EF190FB9A
Uses 32bit PE files
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 4.3.gajb.pif.4efdf30.0.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e2df30.16.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e2df30.16.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.10.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.10.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.16.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.16.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.30e7c20.11.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.30e7c20.11.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.12.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.12.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.15.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.15.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.5.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e2df30.15.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e2df30.15.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.RegSvcs.exe.b00000.0.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 6.2.RegSvcs.exe.b00000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.11.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.11.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e2df30.3.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e2df30.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.13.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.13.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.14.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.14.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4f1e740.9.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4f1e740.9.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.8.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.8.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 10.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.10.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.10.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.3.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e2df30.7.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e2df30.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.17.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.17.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e0df28.14.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e0df28.14.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e2df30.13.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e2df30.13.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.13.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.13.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3de0050.8.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3de0050.8.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.2.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.7.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e6e748.5.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e6e748.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.12.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.12.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e0df28.10.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e0df28.10.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.RegSvcs.exe.720000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 10.2.RegSvcs.exe.720000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e2df30.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e2df30.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.14.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.14.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e0df28.12.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e0df28.12.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e0df28.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e0df28.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e2df30.17.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e2df30.17.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.4.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.4.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.4.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.4.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.15.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.15.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.RegSvcs.exe.b00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 6.2.RegSvcs.exe.b00000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.6.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.6.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e2df30.9.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e2df30.9.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e2df30.4.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e2df30.4.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.7.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.16.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.16.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e2df30.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e2df30.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.11.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.11.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.3.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.3.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.5.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.41a67d0.18.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.41a67d0.18.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.17.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.17.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.8.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.8.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4efdf30.1.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4efdf30.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.3.gajb.pif.3e0df28.6.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 7.3.gajb.pif.3e0df28.6.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.gajb.pif.4eddf28.6.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 4.3.gajb.pif.4eddf28.6.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.604178944.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000006.00000002.604178944.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.394968459.0000000000720000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000A.00000002.394968459.0000000000720000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008933A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 4_2_008933A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait 6_2_00B0D2A6
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008933A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 7_2_008933A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0072D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai 10_2_0072D2A6
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0073203B appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 00B1203B appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 00733E72 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 00B13E72 appears 49 times
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: String function: 001DE2F0 appears 31 times
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: String function: 001DD940 appears 51 times
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: String function: 001DD870 appears 35 times
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: String function: 008A59E6 appears 81 times
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: String function: 00882160 appears 36 times
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: String function: 00890165 appears 34 times
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: String function: 0087333F appears 36 times
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: String function: 00878115 appears 38 times
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: String function: 0086E970 appears 39 times
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: String function: 00876B90 appears 73 times
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: String function: 008714F7 appears 45 times
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: String function: 00861D10 appears 40 times
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001C6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_001C6FC6
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe File created: C:\Users\user\AppData\Roaming\11951071 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/56@1/1
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001C6D06 GetLastError,FormatMessageW, 0_2_001C6D06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B11927 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 6_2_00B11927
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001D963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_001D963A
Source: Covid-19 Data Report Checklist_pdf.exe ReversingLabs: Detection: 51%
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe File read: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe 'C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe'
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Process created: C:\Users\user\AppData\Roaming\11951071\gajb.pif 'C:\Users\user\AppData\Roaming\11951071\gajb.pif' wodm.efi
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\11951071\gajb.pif 'C:\Users\user\AppData\Roaming\11951071\gajb.pif' C:\Users\user\AppData\Roaming\11951071\wodm.efi
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Process created: C:\Users\user\AppData\Roaming\11951071\gajb.pif 'C:\Users\user\AppData\Roaming\11951071\gajb.pif' wodm.efi Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008933A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 4_2_008933A3
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008C4AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 4_2_008C4AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 6_2_00B0EC0F
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008933A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 7_2_008933A3
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008C4AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 7_2_008C4AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0072EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 10_2_0072EC0F
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif File created: C:\Users\user\temp\olml.bmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008CE0F6 CoInitialize,CoCreateInstance,CoUninitialize, 4_2_008CE0F6
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008BD606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 4_2_008BD606
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00893EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,FindCloseChangeNotification, 4_2_00893EC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-VHEUO4
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Command line argument: sfxname 0_2_001DCBB8
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Command line argument: sfxstime 0_2_001DCBB8
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Command line argument: STARTDLG 0_2_001DCBB8
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe File written: C:\Users\user\AppData\Roaming\11951071\lwibsqbclk.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Covid-19 Data Report Checklist_pdf.exe Static file information: File size 1112765 > 1048576
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Covid-19 Data Report Checklist_pdf.exe
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Covid-19 Data Report Checklist_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DE336 push ecx; ret 0_2_001DE349
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DD870 push eax; ret 0_2_001DD88E
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0088D53C push 740088CFh; iretd 4_2_0088D541
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00876BD5 push ecx; ret 4_2_00876BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B13ED0 push eax; ret 6_2_00B13EFE
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_00876BD5 push ecx; ret 7_2_00876BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00733ED0 push eax; ret 10_2_00733EFE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0086EE30 LoadLibraryA,GetProcAddress, 4_2_0086EE30
File is packed with WinRar
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe File created: C:\Users\user\AppData\Roaming\11951071\__tmp_rar_sfx_access_check_6971843 Jump to behavior

Persistence and Installation Behavior:

barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe File created: C:\Users\user\AppData\Roaming\11951071\gajb.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe File created: C:\Users\user\AppData\Roaming\11951071\gajb.pif Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0D4E5 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 6_2_00B0D4E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B117C7 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 6_2_00B117C7

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008DA2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 4_2_008DA2EA
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008943FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 4_2_008943FF
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008943FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 7_2_008943FF
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B09908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 6_2_00B09908
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM autoit script
Source: Yara match File source: Process Memory Space: gajb.pif PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gajb.pif PID: 4752, type: MEMORYSTR
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif TID: 6216 Thread sleep count: 5968 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif TID: 6216 Thread sleep time: -59680s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif TID: 6216 Thread sleep count: 68 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif TID: 1536 Thread sleep count: 5237 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif TID: 1536 Thread sleep time: -52370s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif TID: 1536 Thread sleep count: 115 > 30 Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Thread sleep count: Count: 5968 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Thread sleep count: Count: 5237 delay: -10 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Contains functionality to enumerate running services
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 6_2_00B113C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 10_2_007313C9
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B05156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 00B0517Bh 6_2_00B05156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B05156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 00B0517Bh 6_2_00B05156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00725156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0072517Bh 10_2_00725156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00725156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0072517Bh 10_2_00725156
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Window / User API: threadDelayed 5968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 635 Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Window / User API: threadDelayed 5237 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B03C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha 6_2_00B03C4A
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: gajb.pif, 00000004.00000002.605353450.00000000040D0000.00000004.00000001.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then6q2
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: VMwareUser.exe
Source: Covid-19 Data Report Checklist_pdf.exe, 00000000.00000002.352654901.0000000000CB8000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oyH
Source: gajb.pif, 00000004.00000002.605353450.00000000040D0000.00000004.00000001.sdmp Binary or memory string: VMwareService.exe65687
Source: wodm.efi.0.dr Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: wodm.efi.0.dr Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: VMwaretray.exer
Source: gajb.pif, 00000004.00000002.605353450.00000000040D0000.00000004.00000001.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThensY
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenB
Source: Covid-19 Data Report Checklist_pdf.exe, 00000000.00000002.352654901.0000000000CB8000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wodm.efi.0.dr Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: olml.bmp.0.dr Binary or memory string: 4evP100V735R8198826PTo9O08FN06pV674Y9m62g37m0604BEK7vmCiq6y9Y6
Source: gajb.pif, 00000004.00000002.605353450.00000000040D0000.00000004.00000001.sdmp Binary or memory string: VMwaretray.exe
Source: wodm.efi.0.dr Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: VMwareService.exe536C7
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: VBoxTray.exe
Source: gajb.pif, 00000004.00000002.605353450.00000000040D0000.00000004.00000001.sdmp Binary or memory string: VBoxTray.exeY!
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: VboxService.exe
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then~
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Then47
Source: gajb.pif, 00000004.00000002.605353450.00000000040D0000.00000004.00000001.sdmp Binary or memory string: VboxService.exe
Source: gajb.pif, 00000004.00000002.605353450.00000000040D0000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: wodm.efi.0.dr Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DD353 VirtualQuery,GetSystemInfo, 0_2_001DD353
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001CA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_001CA2DF
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_001DAFB9
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001E9FD3 FindFirstFileExA, 0_2_001E9FD3
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0089399B GetFileAttributesW,FindFirstFileW,FindClose, 4_2_0089399B
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008B2408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose, 4_2_008B2408
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008A280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 4_2_008A280D
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008D8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 4_2_008D8877
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008BCAE7 FindFirstFileW,FindNextFileW,FindClose, 4_2_008BCAE7
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00891A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 4_2_00891A73
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008ABCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 4_2_008ABCB3
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008BDE7C FindFirstFileW,FindClose, 4_2_008BDE7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B04C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,D3DKMTWaitForSynchronizationObjectFromGpu,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 6_2_00B04C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B10586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,D3DKMTWaitForSynchronizationObjectFromGpu,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@ 6_2_00B10586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 6_2_00B0751B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 6_2_00B0728F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B12BEE Sleep,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 6_2_00B12BEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B03325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 6_2_00B03325
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6_2_00B0477E
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_0089399B GetFileAttributesW,FindFirstFileW,FindClose, 7_2_0089399B
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008B2408 FindFirstFileW,Sleep,FindNextFileW,FindClose, 7_2_008B2408
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008A280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_008A280D
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008BCAE7 FindFirstFileW,FindNextFileW,FindClose, 7_2_008BCAE7
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_00891A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_00891A73
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008ABCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 7_2_008ABCB3
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008BDE7C FindFirstFileW,FindClose, 7_2_008BDE7C
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008ABF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 7_2_008ABF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00724C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,D3DKMTWaitForSynchronizationObjectFromGpu,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 10_2_00724C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0072751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 10_2_0072751B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00730586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,D3DKMTWaitForSynchronizationObjectFromGpu,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator 10_2_00730586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0072728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 10_2_0072728F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0072477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA 10_2_0072477E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00723325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 10_2_00723325
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00732BEE Sleep,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 10_2_00732BEE

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0086EE30 LoadLibraryA,GetProcAddress, 4_2_0086EE30
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001E6AF3 mov eax, dword ptr fs:[00000030h] 0_2_001E6AF3
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001DE4F5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001EACA1 GetProcessHeap, 0_2_001EACA1
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00876374 GetStartupInfoW,__heap_init,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,__wwincmdln,LdrInitializeThunk, 4_2_00876374
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008BA35D BlockInput, 4_2_008BA35D
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DE643 SetUnhandledExceptionFilter, 0_2_001DE643
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001DE4F5
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_001DE7FB
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001E7BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001E7BE1
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0087F170 SetUnhandledExceptionFilter, 4_2_0087F170
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0087A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0087A128
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00877CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00877CCD
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_0087A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0087A128
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_00877CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00877CCD

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 720000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B00000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 720000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00B0F219 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 6_2_00B0F219
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B00000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8C1000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 720000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4CE000 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe 6_2_00B0A5F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe 10_2_0072A5F5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008943FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 4_2_008943FF
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Process created: C:\Users\user\AppData\Roaming\11951071\gajb.pif 'C:\Users\user\AppData\Roaming\11951071\gajb.pif' wodm.efi Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00896C61 LogonUserW, 4_2_00896C61
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0086D7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 4_2_0086D7A0
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_00893321 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 4_2_00893321
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008A602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 4_2_008A602A
Source: RegSvcs.exe, 00000006.00000002.605216185.0000000002E96000.00000004.00000040.sdmp Binary or memory string: Program ManagerF
Source: RegSvcs.exe, 00000006.00000002.605216185.0000000002E96000.00000004.00000040.sdmp Binary or memory string: Program Manager
Source: gajb.pif.0.dr Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: gajb.pif Binary or memory string: Shell_TrayWnd
Source: gajb.pif, 00000004.00000002.604725784.0000000002C00000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.604863346.00000000019A0000.00000002.00020000.sdmp, gajb.pif, 00000007.00000002.605139274.0000000001C00000.00000002.00020000.sdmp Binary or memory string: Progman
Source: gajb.pif, 00000004.00000002.605353450.00000000040D0000.00000004.00000001.sdmp, gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: logs.dat.6.dr Binary or memory string: [ Program Manager ]
Source: RegSvcs.exe, 00000006.00000002.605216185.0000000002E96000.00000004.00000040.sdmp Binary or memory string: Program Manager0|
Source: RegSvcs.exe, 00000006.00000002.605216185.0000000002E96000.00000004.00000040.sdmp Binary or memory string: Program Manager,
Source: RegSvcs.exe, 00000006.00000002.605216185.0000000002E96000.00000004.00000040.sdmp Binary or memory string: Program Managerr|
Source: RegSvcs.exe, 00000006.00000002.605216185.0000000002E96000.00000004.00000040.sdmp Binary or memory string: |Program Manager
Source: wodm.efi.0.dr Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: gajb.pif, 00000004.00000002.604725784.0000000002C00000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.604863346.00000000019A0000.00000002.00020000.sdmp, gajb.pif, 00000007.00000002.605139274.0000000001C00000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: gajb.pif, 00000007.00000002.605481201.0000000003010000.00000004.00000001.sdmp Binary or memory string: Program ManagerW
Source: RegSvcs.exe, 00000006.00000002.605216185.0000000002E96000.00000004.00000040.sdmp Binary or memory string: Program Manager8
Source: gajb.pif, 00000004.00000002.605353450.00000000040D0000.00000004.00000001.sdmp Binary or memory string: Program ManagerO
Source: gajb.pif, 00000004.00000002.604725784.0000000002C00000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.604863346.00000000019A0000.00000002.00020000.sdmp, gajb.pif, 00000007.00000002.605139274.0000000001C00000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: gajb.pif, 00000004.00000002.604037617.00000000008E2000.00000002.00020000.sdmp, gajb.pif, 00000007.00000000.380946147.00000000008E2000.00000002.00020000.sdmp Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: RegSvcs.exe, 00000006.00000002.605216185.0000000002E96000.00000004.00000040.sdmp Binary or memory string: |Program Manager|

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_001D9D99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z, 6_2_00B09E7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z, 10_2_00729E7D
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DE34B cpuid 0_2_001DE34B
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001DCBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle, 0_2_001DCBB8
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_0087E284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 4_2_0087E284
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008D2BF9 GetUserNameW, 4_2_008D2BF9
Source: C:\Users\user\Desktop\Covid-19 Data Report Checklist_pdf.exe Code function: 0_2_001CA995 GetVersionExW, 0_2_001CA995

Stealing of Sensitive Information:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 4.3.gajb.pif.4efdf30.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.30e7c20.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4f1e740.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3de0050.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e6e748.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.41a67d0.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.363037979.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368157698.0000000004EDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394956149.00000000030E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362785019.0000000004EDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394845153.00000000030E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392597947.0000000003E2E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363087933.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368298826.0000000004183000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394884254.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392716765.0000000003E2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392613575.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368190067.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395236457.0000000003E2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394633722.0000000003DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392497684.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395044365.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363208796.0000000004F1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395138441.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394775886.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392562844.00000000030E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.365775815.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394897994.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368263690.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363139227.0000000004EB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362829270.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.364800207.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.395200943.0000000002C40000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363109577.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362748203.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362850029.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.604178944.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368145080.0000000004F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.367804453.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392774240.0000000003E4F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392430101.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.605185347.0000000002E90000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362989854.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363056424.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392475891.0000000003DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.365073207.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362894368.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362921698.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394990382.0000000003DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.394968459.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363159769.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363020662.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392846038.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gajb.pif PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gajb.pif PID: 4752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4124, type: MEMORYSTR
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 6_2_00B0728F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: \key3.db 6_2_00B0728F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 10_2_0072728F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: \key3.db 10_2_0072728F
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 6_2_00B0710F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 10_2_0072710F
OS version to string mapping found (often used in BOTs)
Source: gajb.pif Binary or memory string: WIN_XP
Source: gajb.pif Binary or memory string: WIN_XPe
Source: gajb.pif Binary or memory string: WIN_VISTA
Source: gajb.pif.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: gajb.pif Binary or memory string: WIN_7
Source: gajb.pif Binary or memory string: WIN_8

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 4.3.gajb.pif.4efdf30.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.30e7c20.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4f1e740.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3de0050.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e6e748.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e2df30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.41a67d0.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4efdf30.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.gajb.pif.3e0df28.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gajb.pif.4eddf28.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.363037979.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368157698.0000000004EDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394956149.00000000030E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362785019.0000000004EDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394845153.00000000030E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392597947.0000000003E2E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363087933.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368298826.0000000004183000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394884254.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392716765.0000000003E2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392613575.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368190067.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395236457.0000000003E2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394633722.0000000003DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392497684.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395044365.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363208796.0000000004F1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.395138441.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394775886.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392562844.00000000030E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.365775815.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394897994.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368263690.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363139227.0000000004EB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362829270.0000000004E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.364800207.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.395200943.0000000002C40000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363109577.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362748203.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362850029.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.604178944.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.368145080.0000000004F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.367804453.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392774240.0000000003E4F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392430101.0000000003E0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.605185347.0000000002E90000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362989854.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363056424.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392475891.0000000003DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.365073207.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362894368.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.362921698.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.394990382.0000000003DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.394968459.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363159769.0000000004EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.363020662.0000000004EFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.392846038.0000000003E0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gajb.pif PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gajb.pif PID: 4752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4124, type: MEMORYSTR
Detected Remcos RAT
Source: gajb.pif, 00000004.00000003.363037979.0000000004E91000.00000004.00000001.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: gajb.pif, 00000004.00000003.363037979.0000000004E91000.00000004.00000001.sdmp String found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
Source: RegSvcs.exe String found in binary or memory: Remcos_Mutex_Inj
Source: RegSvcs.exe, 00000006.00000002.604178944.0000000000B00000.00000040.00000001.sdmp String found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
Source: gajb.pif, 00000007.00000003.394884254.0000000003E01000.00000004.00000001.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: gajb.pif, 00000007.00000003.394884254.0000000003E01000.00000004.00000001.sdmp String found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
Source: RegSvcs.exe String found in binary or memory: Remcos_Mutex_Inj
Source: RegSvcs.exe, 0000000A.00000002.394968459.0000000000720000.00000040.00000001.sdmp String found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: cmd.exe 6_2_00B02B8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: cmd.exe 10_2_00722B8A
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008CC06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 4_2_008CC06C
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008D65D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 4_2_008D65D3
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 4_2_008C4EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 4_2_008C4EFB
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008CC06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 7_2_008CC06C
Source: C:\Users\user\AppData\Roaming\11951071\gajb.pif Code function: 7_2_008C4EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 7_2_008C4EFB
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482260 Sample: Covid-19 Data Report Checkl... Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 7 other signatures 2->32 7 Covid-19 Data Report Checklist_pdf.exe 61 2->7         started        10 gajb.pif 2->10         started        process3 file4 22 C:\Users\user\AppData\Roaming\...\gajb.pif, PE32 7->22 dropped 13 gajb.pif 1 2 7->13         started        42 Writes to foreign memory regions 10->42 44 Allocates memory in foreign processes 10->44 46 Injects a PE file into a foreign processes 10->46 16 RegSvcs.exe 10->16         started        signatures5 process6 signatures7 48 Multi AV Scanner detection for dropped file 13->48 50 Writes to foreign memory regions 13->50 52 Allocates memory in foreign processes 13->52 54 Injects a PE file into a foreign processes 13->54 18 RegSvcs.exe 2 3 13->18         started        process8 dnsIp9 24 cato.fingusti.club 79.134.225.107, 49735, 6609 FINK-TELECOM-SERVICESCH Switzerland 18->24 34 Contains functionality to steal Chrome passwords or cookies 18->34 36 Contains functionality to capture and log keystrokes 18->36 38 Contains functionality to inject code into remote processes 18->38 40 Contains functionality to steal Firefox passwords or cookies 18->40 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.134.225.107
 cato.fingusti.club Switzerland
6775 FINK-TELECOM-SERVICESCH true

Contacted Domains

Name IP Active
cato.fingusti.club 79.134.225.107 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
cato.fingusti.club true
  • Avira URL Cloud: safe
 unknown