Multi-License Discount Quote

Change Region

English
Threat Database Backdoors Backdoor.Remcos.HG

Backdoor.Remcos.HG

By CagedTech in Backdoors

Threat Scorecard

Popularity Rank: 5,035
Threat Level: 60 % (Medium)
Infected Computers: 344
First Seen: July 10, 2023
Last Seen: April 14, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Backdoor.Remcos.HG
Signature status: No Signature

Known Samples

MD5: bc21583e15af50484f04a564a6884407
SHA1: e00fc20300764f0e63b7185a22e13c29b8b62bc4
File Size: 3.11 MB, 3114406 bytes
MD5: dd8ffb5d13d36a35fa67521affce3d12
SHA1: db9b44f5a7fc094effbd2017acf0cf027e81523b
File Size: 7.99 MB, 7993120 bytes
MD5: a036dd9e70b2e4087cc97bae611ffdb5
SHA1: c21e7d694b73905ee2693e8ae5e0b7cee4a8cf39
File Size: 6.01 MB, 6012879 bytes
MD5: 0bf1af1ab794d18152c2517f0f1eeccc
SHA1: f815ee81873e4d4f1361ab45f107b5cf39dfaa97
SHA256: 5ADD2245C08896C6FD6611818E3C0AD37FA5F33112FCA5C277F6B64BA6201B1C
File Size: 7.85 MB, 7850776 bytes
MD5: d34cbb9230c689e6b77b93d22c7716e9
SHA1: d0f96a8295d46b681dee77bc784ea9d88556ea23
SHA256: 7D537277A2F89B7230ACF24EF49AFD5CA242D8163B1F91141DE6745C081F0A4A
File Size: 9.98 MB, 9976432 bytes
Show More
MD5: daa90a2059a2463f86a39fd6bc55a8cd
SHA1: 2c63513363283bd8d126331794a90ec17e44d27c
SHA256: 8A8900B4E69A74B659D88D203668BBE8A64BB1E3B8780E103FAE132909EE1778
File Size: 6.58 MB, 6577808 bytes
MD5: 31b2a691c55390b07bcf450b62df240c
SHA1: 8efba2449985cc05c7041ead271253c3218737fb
SHA256: 3D356318D34255A13BD2A2EB49F2A9726D3DF52C59BB48ACC7B227C636119E26
File Size: 2.35 MB, 2349667 bytes
MD5: 273d40d118e856a88c92d700bf92cfb6
SHA1: 9ef5969b399698a477f5b95602b2119218b2b8b8
SHA256: 3D51D538731BF88441D3EAAE570CFFED97AEBB073572B58ED1A02C45840D8470
File Size: 6.00 MB, 6003663 bytes
MD5: af9a524331439868ebf12303a02d3a9a
SHA1: de7e5e2d3fd04c490adcbf72e8391a1a06b214e9
SHA256: 814C095483A24779BAD92E265302740A2133CF96D05D5C4759618E08CF8CE971
File Size: 4.67 MB, 4674776 bytes
MD5: 6a6b2ecad89d71a241cc27e6f4a1643b
SHA1: bc27972907ee8246ec8125dd70c63cf66848eafa
SHA256: 582AD7765F2A73A3818DCCC2FAE421AF216CBEE74C4FB905FA9C5961E4BD136E
File Size: 9.83 MB, 9826408 bytes
MD5: c2ea07bdb92a811bc4f096b39d2eec88
SHA1: 0125931414757b4dc7f820d299acd162870c40fc
SHA256: 7573C89A1704AD934280B859F2EC462E23D1B42A30D567FAFDCF2E0E1DD3E29E
File Size: 7.75 MB, 7750007 bytes
MD5: a0357f52d9e1ec7c823785dc66b38068
SHA1: 04a295fe16dd9ee871d8e1411fbc5c0aeb9861d4
SHA256: 8CDB6947F2498783806A843E49247675F48888FFC2845E4EC3CA5808DADC9967
File Size: 7.06 MB, 7061455 bytes
MD5: 6e14da7bcbac93d1a193cfdd817f03f2
SHA1: 476b5a4534cdf0244094b594b4c55bc0a9703386
SHA256: 12545FA43BA12A605AA838CEC3A6DF657A50ADABF5D5DDB9E70C88AF8FF3F987
File Size: 7.04 MB, 7043023 bytes
MD5: 1171185c71752315d7503477a014da27
SHA1: f7a20aa61bc324742f6f072127d9c22a11e46af9
SHA256: 33B7ECD3C7EFF26D7F683DC64F5F52BE86F9332F2332105D04E52ED3EA4047A8
File Size: 7.02 MB, 7023055 bytes
MD5: 2f5d3dcb571bd43e984d0d392bb63aa1
SHA1: 54e465e8940195744e3c0e01de8f0d77b9451a71
SHA256: F69A63A1376F99E1F8059676C502348DD4C97E0546AA0282647049F148F37605
File Size: 7.03 MB, 7032783 bytes
MD5: 1bc7e2750c22e788ce15c99364a651c6
SHA1: e38a96530dc2ff0b896a71fd7cb42cda59c8ab7b
SHA256: D28629977FB1092C0F1E5A1BBB4BACE82542863CCA3474EE3F9DA461F7D842B6
File Size: 7.99 MB, 7993112 bytes
MD5: d901bbfaa235e568fe55c2af87d8a673
SHA1: a7ad75ff2b288e2369c80863f3cbd845602bd8d2
SHA256: FE3EBC9BA6C80A4A1DE5D84C4701C046089B14BAD88EEAA00F08F1D3144D3444
File Size: 7.99 MB, 7993088 bytes
MD5: 53c4e243b9f708787ac3278d52d86a7c
SHA1: 9fe71816994ebf8a50a630919505fd370faf670a
SHA256: 31A8073F2366A21877CD330B11C718C884C5EA2FA5C34358C4C8452B5C2676B6
File Size: 9.99 MB, 9992824 bytes
MD5: 62d3cd6ec161ab927e456aa387885fd3
SHA1: a67323a09cb8be0949d1f184b79bd712a52d99b7
SHA256: 6FA40CBE2CC4C19BA970E433D5D9EB4D370FEF037C74528ECFD89B3718EB88E9
File Size: 9.84 MB, 9838696 bytes
MD5: 6fc8c1879ec4d82f004574f08ec8cd3d
SHA1: 26004480a7887c044e381f2ec89126be4aae4c2f
SHA256: CFD4717DAEE6795DAB78057D8B7FFB8042DB333BE4DACBFE3E93C533CF02AD84
File Size: 7.99 MB, 7993136 bytes
MD5: fa54304e00fd18e6baaf7a9b058670b9
SHA1: 6a955b11e273d09e2aa15393f12a08469227f9a8
SHA256: 8B56A4B7572D6BD87BD616C7F75DB929F8F66105FB4E2E7F6BFD33C0833DCF81
File Size: 9.85 MB, 9852528 bytes
MD5: 429319150e66d28ef8350454b667acf1
SHA1: dd2a09164d73d6d5c7c4fa488b4e49666cb112de
SHA256: C90F0B3797749644180CCBB8EA0D21AFD0F945E0ECBE99FF1E0E05A0FB13EF2F
File Size: 9.86 MB, 9856096 bytes
MD5: c63b0579e83f9b4fb86b369a21082fe6
SHA1: 111d4edee4fc26e3f0b4f085ca2e75cec2b7b324
SHA256: F5BE1CBEC27B0C6342B4FFBEECD704007BC3EEA48F7A425DF7683FA22A02B5D1
File Size: 9.84 MB, 9835112 bytes
MD5: 8cf9cb8258740ab24b9a7419ca879433
SHA1: bad030340bacd86ea5bad91cb725ba1465a2dd93
SHA256: 45613E438E2C9A03BABD3593DEBBFDE7D55805CC832638CA58FF142465795329
File Size: 7.05 MB, 7045583 bytes
MD5: 7b3df69dee5350bbee17d9ebde1843af
SHA1: bce121087c485d987bbdc8f6e3c24c7ce1f64c5d
SHA256: 608631D9C7CBD866245353667C69E79FC767C45868C1775881420074569C17F6
File Size: 6.97 MB, 6966552 bytes
MD5: f0a5ee6f0740a886661ccce0c6abede3
SHA1: 4af09561465a4fbfa355aa56c82f3d08cb1a89ee
SHA256: 092E9914476510CD1289C7750FDFB0F6C35AAAE5EBAADA8E6F7885B0515BFE60
File Size: 9.83 MB, 9830992 bytes
MD5: f0f04bd9fc207464bc2a5228ef93c627
SHA1: 61f36deb640602bafc47e340ae871310f72fbff0
SHA256: 75488FB39D467EBCF88A758F2D09E04281222ECB8FC24E46D453BB0A547475BD
File Size: 7.62 MB, 7615272 bytes
MD5: dd2cae54828950d64683e21e26c0bf3a
SHA1: b0a29b6afc42fcc43bbb5131fa56dbd25e0f541d
SHA256: 30FFBE89CA82C0DEE481DC1969D0C1DAB4AED315EBFB755AC243A491B2D2012B
File Size: 6.59 MB, 6589704 bytes
MD5: 13f8f24375dddeb5de17599d36ebe91e
SHA1: bb613b0fa421a5ce88857a82460db017c4429dbe
SHA256: 49D692A0327C72EEFDC7D6E61E36DFFFE09A3549729C9B64206980C0B5B27E70
File Size: 7.76 MB, 7756151 bytes
MD5: d85275569917abb391c48ad1b856fbcb
SHA1: cd0b35fac1f6cb6be41974a7f625d55dd08bbba1
SHA256: 47DC610E78AB1B84FA49ABD8860F67917FC6FC9CEBEED543FBFB19A4D421655B
File Size: 7.85 MB, 7850792 bytes
MD5: 111b384ed358236c6e74aedffaf2b14b
SHA1: 5ecfdf3667b83a5dbe1c4669e300ec1ee95af97e
SHA256: 9CDD4F7B104725A687AFBD5E5BAD2FF2A215564D09234A6E5B0A6FF733FDAD3C
File Size: 9.96 MB, 9960552 bytes
MD5: 65f619ac69972ed07c5dcfe4074c0085
SHA1: e26fd6095ccefc85835d42e4725f21d32ef940b0
SHA256: 91BE7D6C9E5093F925F0BDC2B948F81D1C85A5EBFBEFBC369AF8541BCEC4F9A0
File Size: 9.84 MB, 9843320 bytes
MD5: a00ceb652577efe0273df67b4382bcc8
SHA1: 3201c652bb481f74dbee1b29b1b659f65070d079
SHA256: F1C59EFAB6249D5A5FFC5132E0B9C8875C743135D97257155FB55CC792904E90
File Size: 7.59 MB, 7590160 bytes
MD5: 516ed150dd55898561a05593e80d5eec
SHA1: 0ad2d3b2d0147b35608a4d053fe916993842257f
SHA256: E01376EF8D2ADFD8D2CA38BD581CE724135115C3A712AB7E7C2AF50CA10B8323
File Size: 9.84 MB, 9841264 bytes
MD5: 08d43ff8a400f9ef9c85d8408025b8a0
SHA1: a6462eb9e47e19c7448be8be558f079ff36e4ec0
SHA256: 216B28A7496717C5B8215FE7732C45A7045F2FBBD33463BBB51D193284830EDF
File Size: 196.61 KB, 196608 bytes
MD5: 41151189e3b8deb2366c0528b61338e3
SHA1: e620b15f8d387a76a8555ece12da772e7a0cd3a3
SHA256: 1CC412E9CE1464EEEB9E6356E408F4D583C165D9C9DF774003306DCC29970D67
File Size: 2.96 MB, 2955312 bytes
MD5: 01b9997e0196db50e496db822ce4b2c9
SHA1: 27172beff93870c1c823ab78045988752642b468
SHA256: 5808291A0D5CAA593DC2CBC0A825AAD6F1E0004CCFCDF94B5F7705F26447CA2F
File Size: 7.99 MB, 7993120 bytes
MD5: 89de625ff2ca3c265e4c9d0a129fdf24
SHA1: 0bdf7a6309514f533e39625813f7f11b5c7cb00d
SHA256: 8A6C33A575E587C3BC1DCF178BA483C5024BE9827262C38FF2FE0B4D8B0F1EED
File Size: 9.99 MB, 9986704 bytes
MD5: 89806b3270df9f191293a1dca91f8894
SHA1: 7835989c61aedf61c43384585395dce8f270c83d
SHA256: 81DAEDCEB4C6CC5C595150AA5024BAE2D13FA098702C7F434EFB61241ECBD026
File Size: 7.62 MB, 7615776 bytes
MD5: cc816160e8ffecad3d9c47c3ca72f3bb
SHA1: bc9e2b117f338a46a72c71a62963bb74c2e15dcb
SHA256: D2B83691B5A3130830FA175A0D901B52690ED1AD7BD9292A4FD528877F766E13
File Size: 7.62 MB, 7619344 bytes
MD5: 7a83bf1bd2e5212abcdc4c04d9947da5
SHA1: b8f8e34d9fb8583baf8512dc60ee9bf3877d632f
SHA256: EF312B24DB316F11AC62D445E63B5555490867450051C72BC39092B596A2D107
File Size: 9.83 MB, 9830032 bytes
MD5: 7fbc6079b3cd9ff9c9bc667308b18622
SHA1: 54008bfc7666169fb82698b002a24358c8ae29e3
SHA256: 7A50ACC68F222C6F5DB0EDA0CAFE3D43C661F5C94CBA508B5ACFDBAA79A944EE
File Size: 9.84 MB, 9839720 bytes
MD5: 443adb5dae7a2e747608c996d9d54972
SHA1: c02c01cadced9bfce65d8d32c88bb28e2422c3e0
SHA256: BC7887B7012DC107B2EAE0E8B0676B1DF008371EB342C156F23CEFADB7777845
File Size: 504.83 KB, 504832 bytes
MD5: 418798a5fdce72a706556595db1f4f34
SHA1: 73220fd757d92335d326367fa5a8ef2f76e6c0ee
SHA256: C76623693BE8278EEEF470DC17FC9CDB4F5A2D8FF900A09EB7B0BD10DD6341F2
File Size: 10.00 MB, 9998456 bytes
MD5: ddc3cf6f9687400b9a67a27276b2ce0e
SHA1: 9935cd1e3afa38ab69cf3ae0721e408db918e882
SHA256: 432B080758B04397BAAB7A5B642E70EA1FBA853246EB939084AB7484E683DC79
File Size: 6.58 MB, 6577816 bytes
MD5: 4a2cca57e92a992909934151d469ed9e
SHA1: b4184904fa37abce9668c223873b8d80943f868e
SHA256: 28532B6FB225FFD64B4A6B78AE66395675E91E569A920E5918988A660D577760
File Size: 9.86 MB, 9856624 bytes
MD5: fe63ee65965a5258b47f0bb116dfd8b2
SHA1: de3f75424cd44a82a7e3fa0eba4bcab3d83360e1
SHA256: 73800000C3892ADE04E0383BBE15F0D269983083C76F10166AE5F9B304BA4474
File Size: 4.67 MB, 4674768 bytes
MD5: e9339107cb96312636a46652c2c21333
SHA1: 733f08a01d6c18e82638ad187ed4007ce387411e
SHA256: AF93DD748CBE608F0EB5EC41F8065A6337455B1D91F10B4C198BBEB5D061B992
File Size: 7.75 MB, 7754103 bytes
MD5: 8287763f4b47c0cc62180962537337ca
SHA1: 26123b11407ee8ed428a734f0e8f59f4440fdac4
SHA256: C17570951536DB3FC92C798214566A9004366DD8C61EAA714A630CD2EA29F7F5
File Size: 6.56 MB, 6562480 bytes
MD5: e587c3847c2ea23dcbd37530c08a6bc3
SHA1: c558f1583fb7772d2986b51859e43896a0cb3c7f
SHA256: 4CCA0AED2704BE1885B254FA4C8F5D6784D6DB5809727901B24D87506B2FCA84
File Size: 9.85 MB, 9846384 bytes
MD5: a55fd2ef4292fd8be641e9e14239e5b6
SHA1: e05661824429f947882bcf0c1f5a4c2faddb1405
SHA256: ADE08F5FFE364B6A0F9AF40673E5E7598B9DEC9497193D8B6874F7212380FFE5
File Size: 6.59 MB, 6589720 bytes
MD5: eae977e692808933e9b742f3991215c4
SHA1: d0c095853189feba809fdcacf2a301e9a76ad7a7
SHA256: 15A09CB763D554ADF2EFAF8D9EC532C158AC03046DE7F992DC74083375F26095
File Size: 7.62 MB, 7616280 bytes
MD5: ac6a537fb4f2b53acdc9dad877c35bb9
SHA1: a3c19868c597da6f2ca293de836f80a6ce62424c
SHA256: 1C9FE73A4D8420D51401F1C47FC7FE7EFD2411D5B3FBD42978B5028D7E5A5567
File Size: 507.39 KB, 507392 bytes
MD5: a441fda9dd602bcb5bb67cbfaa458604
SHA1: 45042fc2bc6e575027f9e6ecc370f8311dec4914
SHA256: F92690377EE25542BA0DDEE94D10DC863355603776753BFFC495CA2A7F46C619
File Size: 6.59 MB, 6592248 bytes
MD5: 99fa378c3febaa9d49549f2f44e150b0
SHA1: 5fbf47160edbb54386e1e1b4dc4d1cc84b448490
SHA256: 31EDE527AB43F23D012260B831A3862A4433A2FE40A5AFF8619BCC866C72515C
File Size: 7.73 MB, 7734135 bytes
MD5: 5834210dcfa4f840899f3646a2da8d54
SHA1: ccd83fcb1fbc912b92e9cd46ff33d7d1c687a230
SHA256: 804D250B5EC16FC264BA2015E91304E01B5FEAC9DAC78BBF62BF52D86E25ABD8
File Size: 506.88 KB, 506880 bytes
MD5: d482c7611120ae742de5b22ac091444b
SHA1: da076b964de7f77b732420b31c53fcd7ee0adc3d
SHA256: 1F35F91366C8164E8737A82D97BE645D00385EB98DC000352A65152FD60B3B5A
File Size: 9.85 MB, 9852552 bytes
MD5: 8d7d2f118c746551e42367db802307b8
SHA1: abf39f6626beaae5e913e38a4c25636a0e95cf82
SHA256: 2A178697A897ECC5E5B3294EFE11D13499B2803B7CCD5F90CB0F9008C3268F52
File Size: 5.17 MB, 5173848 bytes
MD5: 5fc658ec5385bd0ab26c8a16445bc315
SHA1: 0d10072f897a7633199ddbd39f30c7896aae4b45
SHA256: F7FB916BEE47EAAC77DF47BCC81723BE49616C33524F799D0F8D1F6FDC2B0165
File Size: 507.39 KB, 507392 bytes
MD5: 23cfe327cebe84a6c3feb3b11ea6bb9e
SHA1: 096584f9e14cb63b1f6e57ef694ffa8dd1fd45b0
SHA256: 2D71381F9D1C7B60A166FEC73A969CB641F1EB7CCEA962110955A44CEAEFA6F7
File Size: 5.65 MB, 5647560 bytes
MD5: bfea08c8a002da0ec37875c9ea22010d
SHA1: c7fa9d6555853ab7f227a9ed9d8d6ccf3b256ca8
SHA256: 6DC05BAC223455D58E66F2BCE6F6AAB88C17AFD5D0D5F6870C21375D8A2F9109
File Size: 7.62 MB, 7618840 bytes
MD5: 85eb29aed8d2a3b7da7b4e9b3a2b0ae8
SHA1: 6342d733d3f388948ebc14676cb757133ea2684c
SHA256: 7625835C36BB46DD1A83CE3B5329D4DA29716BFE7D2C90292A17562E54FE6C85
File Size: 9.83 MB, 9829992 bytes
MD5: 367cfe41fe67346a6b1d931b097739d6
SHA1: a7104c8a5110760ee263d2480e70c9524af57287
SHA256: 7A4CDC749EE5429051F19A821092F2BDD284830963413AE28849DD7D19A9B8AF
File Size: 9.84 MB, 9843312 bytes
MD5: baa839d1e0edd49d778aeab2d6d1e369
SHA1: 05727624efd30ffd19099294490766bbea8316e1
SHA256: 27CB6D1DBCD5CD758EB93CC2F950BE7D4C8729694F3F00A6DC25299F6A308FD3
File Size: 507.39 KB, 507392 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments https://rufus.ie
Company Name
  • Akeo Consulting
  • Code Jelly
  • The libjpeg-turbo Project
  • This installation was built with Inno Setup.
File Description
  • Ditto
  • HxD Hex Editor Portable Setup
  • Launchy Stp
  • NanaZip Self Extracting Executable (Setup)
  • Rufus
  • TurboJPEG API DLL
  • Winboard 32-bit GUI for chess
File Version
  • 5.0.1283.0
  • 4.6.0
  • 4.2.2074
  • 3.24.246.0
  • 2.5
  • 0,4,0,0
Internal Name
  • CP_Main
  • NanaZip.Core.Sfx.Setup
  • Rufus
  • turbojpeg
  • Winboard
Legal Copyright
  • Copyright (C) 2003
  • Copyright © 1991-2024 The libjpeg-turbo Project and many others
  • GPLv3 Copyright © 2009
  • © 2011-2023 Pete Batard (GPL v3)
  • © M2-Team and Contributors. All rights reserved.
Legal Trademarks https://www.gnu.org/licenses/gpl-3.0.html
Original Filename
  • Ditto
  • NanaZip.Core.Setup.sfx
  • rufus-4.2.exe
  • turbojpeg.dll
  • winboard.exe
Product Name
  • Ditto
  • HxD Hex Editor Portable
  • Launchy
  • libjpeg-turbo
  • NanaZip
  • Rufus
  • Winboard
Product Version
  • 5.0.1283.0
  • 4.6.0
  • 4.2.2074
  • 3.24.246.0
  • 3.1.0
  • 2.5

Digital Signatures

Signer Root Status
Razor Resist Align Guilt Self Signed
Plump Free Altitude Enormous Self Signed
Superior Buy Bang Survey Self Signed
Dub Refine Buckle Offspring Self Signed
Newcomer Neither Bulk Prejudice Self Signed
Show More
Unique Transparent Coarse West Self Signed
Collapse Offence Concur Stash Self Signed
Remedy Draw Crate Liver Self Signed
Surrender Heat Create Poke Self Signed
Interrogate Beat Deer Resort Self Signed
Accident Siblings Destination Bachelor Self Signed
Nod Bang Doubt Persist Self Signed
Fellow Buy Drag Widow Self Signed
Over Sore Drown Sulfur Self Signed
Adverb Blow End Disclose Self Signed
Event Well-being Fir Contend Self Signed
Aspire Endow Inhibit Susceptible Self Signed
Off Tick Inquire Hit Self Signed
Naughty Aerial Instant Database Self Signed
Therefore Sympathy Inventory Turn Self Signed
Throw Primitive Lineage Out Self Signed
Delinquent Annoy Means Scheme Self Signed
Conscious Underlie Plow Shun Self Signed
Beak Crown Praise Indulge Self Signed
Miss Meager Provide Mammal Self Signed
Hostage Jolt Proximity Send Self Signed
Pick Shelter Quaint Swap Self Signed
Earring Considerable Quarrel Terms Self Signed
Hebrew Shut Regard Mark Self Signed
Teton Advertising, LLC SSL.com EV Code Signing Intermediate CA RSA R3 Self Signed
Peck Ambulance Seek Knock Self Signed
Fragrant Intelligent Seldom Warp Self Signed
Significant Ambiguous Sequence Victim Self Signed
Run Fool Serene Unanimous Self Signed
Geared Vomit Snatch Come Self Signed
Bulk Preside Spectator Owl Self Signed
Relative Subsequent Station Tower Self Signed
Scrutiny Mock Stubborn Lizard Self Signed
Potato Oath Succumb Mayor Self Signed
Seem Junk Term Aside Self Signed
Arm Heap Undergo Make Self Signed
Graduate Confirm Vocabulary Light Self Signed
Soccer Look Weak Monetary Self Signed
Ray Stay Whim Shortage Self Signed

File Traits

  • 7-zip (In Overlay)
  • 7-zip SFX
  • big overlay
  • dll
  • fptable
  • HighEntropy
  • Installer Version
  • No Version Info
  • WriteProcessMemory
  • x86

Block Information

Total Blocks: 2,257
Potentially Malicious Blocks: 816
Whitelisted Blocks: 1,311
Unknown Blocks: 130

Visual Map

0 0 0 0 0 x ? ? x x x 0 0 x 0 x 0 0 0 0 0 x x 0 0 0 0 x x 0 x x x x 0 0 x x 0 x 0 x 0 x x 0 0 0 0 0 x 0 0 x 0 0 0 x x x x x x 0 0 0 x x x 0 0 0 0 0 0 x x 0 0 x x 0 0 0 x x 0 x 0 x x 0 x 0 x 0 x 0 0 x 0 x 0 0 0 x x x x x x 0 0 0 0 0 0 ? ? 0 x x 0 x x ? ? ? x ? x ? ? ? 0 ? ? x x ? ? x 0 ? x x 0 0 ? 0 0 0 0 x 0 0 x 0 x 0 0 x x ? 0 x x x 0 x x 0 0 x 1 0 ? 0 x x 0 x 0 x 0 ? ? ? ? 0 0 x 0 ? x x 0 x 0 0 ? 0 ? 0 0 x x 0 ? x 0 0 ? 0 0 0 x x 0 ? x x x x 0 ? ? x x x x x x x ? ? ? ? ? ? ? ? ? ? x 0 x 0 x x x x ? x 0 0 x ? ? ? x ? x ? x x 0 x 0 0 0 0 ? ? x ? ? x ? ? ? ? ? 0 0 0 x 0 ? ? 0 x x x x x x 0 x 0 0 x x x ? x x x x x x x 0 ? 0 x 0 x 0 x x 0 x x x x 0 0 x 0 0 x x ? x x x x x x x x x x x x x x x x x x x x x x 0 x 0 0 x x x x x x x ? x ? 0 x ? ? ? ? ? x x x x x x 0 x 0 0 x x 0 x x 0 0 0 0 x x 0 0 0 x ? x x ? ? x x x x ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x 0 x x 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 ? 0 x ? x ? 0 x 0 0 0 0 0 x x 0 x x x x x x x x 0 0 x x 0 0 0 0 0 0 x 0 0 x x x x x x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 x x 0 x x ? 0 0 0 0 x 0 x 0 0 x x x x 0 0 x ? 0 x x 0 x x x x x 0 0 0 x ? 0 ? x ? ? x x 0 0 x x x ? ? x ? x ? x x x x ? x x x x x x ? x x x x x x ? ? x x 0 0 0 x 0 0 0 0 x x ? ? 0 x x x x x x ? 0 x x x ? x x x x 0 x 0 0 0 0 0 0 x x x x 0 x x x x x x x 0 x x x x x x x x x x ? x ? ? x x x x x x x 0 x x x ? x x x ? ? ? ? ? ? x ? ? x x x ? ? x x x x x x x x x x x x x x x x x ? x ? ? x x x x 0 x x x x ? ? x x ? x 0 ? x x x x x x x 0 0 x 0 x x x x x x 0 0 0 0 0 x x x x 0 x ? ? ? ? ? ? ? ? ? ? ? 0 ? x x x 0 x x 0 0 x 0 x x x 0 0 x 0 x x x x x x x x x x 0 x x x x x x 0 x 0 0 x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 0 x x x x x x x x x x x x x x x x 0 0 x x x x x 0 x x x x x x x x x 0 x x x x x x 0 0 x x x x x x x 0 x x x 0 x x x x x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x x 0 0 x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 x x 0 x x x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x x x x 0 0 x x x 0 x x x x x x x x x x x x x x x x x x x x x x 0 0 x x x x x x x 0 0 x x x x x x x x x 0 x x x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x 0 x x x x x x x 0 x x x x 0 0 x x x x x x x 0 x x x x x x x x x x x x x x x x x x x x x 0 x x x x x x 0 x 0 x x x x x x x x x x x 0 x 0 x 0 x 0 0 x x x x x x x x 0 0 x x x x x x x 0 x x x x 0 x x x x x x x x x x x x x x x 0 x x 0 x x x 0 x x x x 0 x x x x x x x x x 0 x x x x x x x x 0 0 0 x x x x x x x x x x 0 x x x x x x x x x x x x x x x x 0 x x 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 2 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 2 2 0 0 2 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.GHB
  • OpenSUpdater.GH
  • Remcos.HK

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\programdata\df\logs.dat Synchronize,Write Attributes
c:\programdata\onedrive Synchronize,Write Attributes
c:\programdata\onedrive\onedrive.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\onedrive\onedrive.exe Synchronize,Write Attributes
c:\programdata\words\winzip.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\7zs03612dfc\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs03612dfc\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs0528bf01\setup.exe Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\7zs0528bf01\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs07671500\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs07671500\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs0870dd11\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs0870dd11\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs0a24f643\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs0a24f643\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs0ad5eafc Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs0ad5eafc\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs0ad5eafc\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs0d5a2600 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs0d5a2600\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs0d5a2600\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs41fa3650 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs41fa3650\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs41fa3650\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs4200d8bc\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs4200d8bc\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs471aa84b\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs471aa84b\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs47396319\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs47396319\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs4d6b9510\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs4d6b9510\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs80259eec Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs80259eec\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs80259eec\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs80869efc\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs80869efc\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs80a94419\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs80a94419\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs82bc38d0\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs82bc38d0\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs837ee344\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs837ee344\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs850b9dc0 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs850b9dc0\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs850b9dc0\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs8559ecec\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs8559ecec\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs85606301 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs85606301\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs85606301\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs85f7ad90\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs85f7ad90\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs86180db4\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs86180db4\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs8d15c271\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs8d15c271\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs8e6282bc Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zs8e6282bc\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zs8e6282bc\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zsc2529b51\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zsc2529b51\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zsc360e0f3 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zsc360e0f3\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zsc360e0f3\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zsc8c888c4\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zsc8c888c4\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zsca18a5e1\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zsca18a5e1\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zscaf4faf5\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zscaf4faf5\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zscbfe9771 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zscbfe9771\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zscbfe9771\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\7zscf483f80\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7zscf483f80\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\is-06jf8.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-0gl4u.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-0gl4u.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-0gl4u.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-123gg.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-1d5hd.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-5n9ad.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-5n9ad.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-5n9ad.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-5tvo2.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-6hvq3.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-6hvq3.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-6hvq3.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-7c8bv.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-7c8bv.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-7c8bv.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-7uoen.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-96sj3.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-99bo2.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-9e670.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-a779t.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-ac8at.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-ajt4s.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-ajt4s.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-ajt4s.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-bb847.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-bouc2.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-bouc2.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-bouc2.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-bqejm.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-c6nl4.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-ce1fg.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-h64ee.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-i6nn2.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-ka75s.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-ka75s.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-ka75s.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-kfglf.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-kfglf.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-kfglf.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-lajsn.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-lajsn.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-lajsn.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-lk7cs.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-pdnnt.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-rbo74.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-rbo74.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-rbo74.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-rej79.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-t27p3.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-t7go7.tmp\setup.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-ufse9.tmp\_isetup\_regdll.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-ufse9.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-ufse9.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows Synchronize,Write Attributes
c:\windows\chromeupdate.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\chromeupdate.exe Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\windows\currentversion\run::rmc-699p21 "C:\ProgramData\Words\Winzip.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::rmc-3gik2c "C:\ProgramData\Onedrive\Onedrive.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 锄왿첾ǜ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::rmc00125401-6tuhwt "\Windows\ChromeUpdate.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\explorer\run::rmc00125401-6tuhwt "\Windows\ChromeUpdate.exe" RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerNameEx
  • GetUserName
  • GetUserObjectInformation
  • OpenClipboard
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Service Control
  • OpenSCManager
Process Shell Execute
  • CreateProcess
  • WriteConsole
Keyboard Access
  • GetKeyState
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
Show More
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN

Shell Command Execution

.\setup.exe
"C:\Users\Ktwvohxl\AppData\Local\Temp\is-9E670.tmp\setup.tmp" /SL5="$50060,4288458,79872,C:\Users\Ktwvohxl\AppData\Local\Temp\7zS0D5A2600\setup.exe"
"C:\Users\Ppkdpuwu\AppData\Local\Temp\is-I6NN2.tmp\setup.tmp" /SL5="$2021C,2973524,121344,C:\Users\Ppkdpuwu\AppData\Local\Temp\7zS07671500\setup.exe"
"C:\Users\Bgltsvuz\AppData\Local\Temp\is-C6NL4.tmp\setup.tmp" /SL5="$70062,4288458,79872,C:\Users\Bgltsvuz\AppData\Local\Temp\7zS80A94419\setup.exe"
"C:\Users\Eblvjrtr\AppData\Local\Temp\is-AC8AT.tmp\setup.tmp" /SL5="$60244,4288458,79872,C:\Users\Eblvjrtr\AppData\Local\Temp\7zS4200D8BC\setup.exe"
Show More
"C:\Users\Fhwqzurz\AppData\Local\Temp\is-REJ79.tmp\setup.tmp" /SL5="$50232,4288458,79872,C:\Users\Fhwqzurz\AppData\Local\Temp\7zSC8C888C4\setup.exe"
"C:\Users\Atcsqerh\AppData\Local\Temp\is-123GG.tmp\setup.tmp" /SL5="$190322,4288458,79872,C:\Users\Atcsqerh\AppData\Local\Temp\7zSC2529B51\setup.exe"
"C:\Users\Tnevuyke\AppData\Local\Temp\is-5TVO2.tmp\setup.tmp" /SL5="$1402BE,4288458,79872,C:\Users\Tnevuyke\AppData\Local\Temp\7zSCA18A5E1\setup.exe"
"C:\Users\Qnkwcbnr\AppData\Local\Temp\is-7UOEN.tmp\setup.tmp" /SL5="$90284,4288458,79872,C:\Users\Qnkwcbnr\AppData\Local\Temp\7zS03612DFC\setup.exe"
"C:\Users\Izcibnxh\AppData\Local\Temp\is-99BO2.tmp\setup.tmp" /SL5="$A80260,2973524,121344,C:\Users\Izcibnxh\AppData\Local\Temp\7zS86180DB4\setup.exe"
"C:\Users\Hahlinib\AppData\Local\Temp\is-BQEJM.tmp\setup.tmp" /SL5="$16004C,4288458,79872,C:\Users\Hahlinib\AppData\Local\Temp\7zS837EE344\setup.exe"
"C:\Users\Rdyrxwjl\AppData\Local\Temp\is-CE1FG.tmp\setup.tmp" /SL5="$110068,4288458,79872,C:\Users\Rdyrxwjl\AppData\Local\Temp\7zS80259EEC\setup.exe"
"C:\Users\Owuxkdio\AppData\Local\Temp\is-06JF8.tmp\setup.tmp" /SL5="$F01E8,4288458,79872,C:\Users\Owuxkdio\AppData\Local\Temp\7zS41FA3650\setup.exe"
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e620b15f8d387a76a8555ece12da772e7a0cd3a3_0002955312.,LiQMAxHB
"C:\Users\Uxlrafeg\AppData\Local\Temp\is-T7GO7.tmp\setup.tmp" /SL5="$70332,4288458,79872,C:\Users\Uxlrafeg\AppData\Local\Temp\7zS8559ECEC\setup.exe"
"C:\Users\Ajfhsvye\AppData\Local\Temp\is-PDNNT.tmp\setup.tmp" /SL5="$40374,4288458,79872,C:\Users\Ajfhsvye\AppData\Local\Temp\7zSCBFE9771\setup.exe"
"C:\Users\Pmlzcpjt\AppData\Local\Temp\is-T27P3.tmp\setup.tmp" /SL5="$70334,4288458,79872,C:\Users\Pmlzcpjt\AppData\Local\Temp\7zS850B9DC0\setup.exe"
"C:\Users\Esocpsvk\AppData\Local\Temp\is-1D5HD.tmp\setup.tmp" /SL5="$B0176,4288458,79872,C:\Users\Esocpsvk\AppData\Local\Temp\7zS82BC38D0\setup.exe"
"C:\Users\Klczevao\AppData\Local\Temp\is-H64EE.tmp\setup.tmp" /SL5="$80160,4288458,79872,C:\Users\Klczevao\AppData\Local\Temp\7zSCAF4FAF5\setup.exe"
"C:\Users\Fnngmpxr\AppData\Local\Temp\is-96SJ3.tmp\setup.tmp" /SL5="$1A026C,2973524,121344,C:\Users\Fnngmpxr\AppData\Local\Temp\7zS85F7AD90\setup.exe"
"C:\Users\Gassmdmr\AppData\Local\Temp\is-BB847.tmp\setup.tmp" /SL5="$50328,2973524,121344,C:\Users\Gassmdmr\AppData\Local\Temp\7zS80869EFC\setup.exe"
"C:\Users\Ghzxbgyu\AppData\Local\Temp\is-A779T.tmp\setup.tmp" /SL5="$6034A,4288458,79872,C:\Users\Ghzxbgyu\AppData\Local\Temp\7zSCF483F80\setup.exe"
"C:\Users\Tesargmq\AppData\Local\Temp\is-LK7CS.tmp\setup.tmp" /SL5="$30356,4288458,79872,C:\Users\Tesargmq\AppData\Local\Temp\7zSC360E0F3\setup.exe"
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\WINDOWS\System32\reg.exe C:\WINDOWS\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
WriteConsole: The operation co
WriteConsole:
WriteConsole: c:\users\user\do

Trending

Most Viewed

Loading...