Click to jump to signature section
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR |
Source: INV NO -609983773 60983768.exe | Joe Sandbox ML: detected |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack | Malware Configuration Extractor: Remcos {"Version": "3.8.0 Pro", "Host:Port:Password": "172.111.234.110:5888", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7I9HK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: -----BEGIN PUBLIC KEY----- |
Source: INV NO -609983773 60983768.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Malware configuration extractor | URLs: 172.111.234.110 |
Source: INV NO -609983773 60983768.exe | String found in binary or memory: http://fsf.org/ |
Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, INV NO -609983773 60983768.exe, 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: INV NO -609983773 60983768.exe | String found in binary or memory: http://itextpdf.com/terms-of-use/ |
Source: INV NO -609983773 60983768.exe | String found in binary or memory: http://www.gnu.org/licenses |
Source: INV NO -609983773 60983768.exe | String found in binary or memory: http://www.gnu.org/licenses/ |
Source: INV NO -609983773 60983768.exe | String found in binary or memory: http://www.gnu.org/licenses/gpl-faq.html#FontException |
Source: INV NO -609983773 60983768.exe | String found in binary or memory: https://opensource.bulkpdf.de/ |
Source: INV NO -609983773 60983768.exe | String found in binary or memory: https://opensource.bulkpdf.de/Whttps://opensource.bulkpdf.de/documentation |
Source: INV NO -609983773 60983768.exe | String found in binary or memory: https://opensource.bulkpdf.de/documentation |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE | Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE | Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE | Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE | Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE | Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen |
Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: INV NO -609983773 60983768.exe | Static PE information: No import functions for PE file found |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: INV NO -609983773 60983768.exe | Binary or memory string: OriginalFilename vs INV NO -609983773 60983768.exe |
Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe |
Source: INV NO -609983773 60983768.exe, 00000000.00000002.242964715.0000013DA2109000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs INV NO -609983773 60983768.exe |
Source: INV NO -609983773 60983768.exe, 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe |
Source: INV NO -609983773 60983768.exe, 00000000.00000000.237710745.0000013DA1F42000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameBulkPDF.exe0 vs INV NO -609983773 60983768.exe |
Source: INV NO -609983773 60983768.exe, 00000000.00000002.243176170.0000013DA2420000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe |
Source: INV NO -609983773 60983768.exe | Binary or memory string: OriginalFilenameBulkPDF.exe0 vs INV NO -609983773 60983768.exe |
Source: INV NO -609983773 60983768.exe | Virustotal: Detection: 9% |
Source: INV NO -609983773 60983768.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: INV NO -609983773 60983768.exe | Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88% |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll |
Source: unknown | Process created: C:\Users\user\Desktop\INV NO -609983773 60983768.exe C:\Users\user\Desktop\INV NO -609983773 60983768.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: classification engine | Classification label: mal76.troj.evad.winEXE@11/1@0/0 |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll |
Source: INV NO -609983773 60983768.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: INV NO -609983773 60983768.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Code function: 0_2_00007FFDC3A1000A push fs; ret |
Source: initial sample | Static PE information: section name: .text entropy: 7.3605775158149305 |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe TID: 5164 | Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Thread delayed: delay time: 922337203685477 |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process information queried: ProcessInformation |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Thread delayed: delay time: 922337203685477 |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process token adjusted: Debug |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Memory allocated: page read and write | page guard |
Source: INV NO -609983773 60983768.exe, BIDEN_HARRISu003du003e1housand/BIDEN_HARRISu003du003eFollo8ing.cs | Reference to suspicious API methods: ('BIDEN_HARRIS=>6housand', 'VirtualProtect@kernel32.dll'), ('BIDEN_HARRIS=>Contra3t', 'GetProcAddress@kernel32.dll'), ('BIDEN_HARRIS=>Loa8', 'LoadLibrary@kernel32.dll') |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Queries volume information: C:\Users\user\Desktop\INV NO -609983773 60983768.exe VolumeInformation |
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR |