Windows Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5

Overview

General Information

Sample URL:	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5
Analysis ID:	1428438
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Remcos RAT

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Blob-based file download detected

Creates autostart registry keys with suspicious names

Potential malicious VBS script found (suspicious strings)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Windows Shell Script Host drops VBS files

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp

URL Reputation: Label: phishing

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49899 version: TLS 1.2

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 148.72.177.212 443

Uses dynamic DNS services

Source: unknown

DNS query: name: faststaynow.duckdns.org

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: adobe.tt.omtrdc.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49899 version: TLS 1.2

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Blob-based file download detected

Source: C:\Users\user\Downloads\2023 Tax Organizer.zip

File download: blob:https://acrobat.adobe.com/2b8c944b-39d2-4efa-8686-d2e1adb6d166

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\SysWOW64\wscript.exe

Dropped file: EMPYA.ShellExecute APPDATA & "\VJQSJ.cmd", "", APPDATA, "", 0

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a0a-f192-11d4-a65f-0040963251e5}

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f

Yara signature match

Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.expl.evad.win@28/101@44/273

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-DRFJJD

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

File created: C:\Users\user\AppData\Local\Temp\Memory.vbs

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2012,i,12056640513929630974,10995804170337098686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2012,i,12056640513929630974,10995804170337098686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: g2m.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: secur32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: avicap32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: d3d9.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: samcli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: policymanager.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Persistence and Installation Behavior

Windows Shell Script Host drops VBS files

Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Chrome

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\WindowsServices-RDGVW.lnk
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\WindowsServices-RDGVW.lnk

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Chrome
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Chrome

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Window / User API: threadDelayed 9812

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep count: 78 > 30
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep time: -234000s >= -30000s
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep count: 9812 > 30
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep time: -29436000s >= -30000s

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 148.72.177.212 443

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-DRFJJD

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.40.205.16	unknown	United States	20940	AKAMAI-ASN1EU	false
151.101.1.138	cdn-sharing.adobecc.map.fastly.net	United States	54113	FASTLYUS	false
23.209.188.7	unknown	United States	9498	BBIL-APBHARTIAirtelLtdIN	false
52.202.204.11	unknown	United States	14618	AMAZON-AESUS	false
46.183.222.118	faststaynow.duckdns.org	Latvia	52048	DATACLUBLV	true
18.235.168.50	unknown	United States	14618	AMAZON-AESUS	false
142.250.105.113	unknown	United States	15169	GOOGLEUS	false
50.16.240.61	unknown	United States	14618	AMAZON-AESUS	false
104.18.32.195	unknown	United States	13335	CLOUDFLARENETUS	false
172.64.155.61	unknown	United States	13335	CLOUDFLARENETUS	false
3.161.193.61	dd20fzx9mj46f.cloudfront.net	United States	16509	AMAZON-02US	false
63.140.39.130	adobe.com.ssl.d1.sc.omtrdc.net	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
148.72.177.212	textbin.net	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
104.18.32.77	unknown	United States	13335	CLOUDFLARENETUS	false
13.226.100.23	unknown	United States	16509	AMAZON-02US	false
44.198.86.118	unknown	United States	14618	AMAZON-AESUS	false
23.22.254.206	unknown	United States	14618	AMAZON-AESUS	false
96.7.225.33	unknown	United States	20940	AKAMAI-ASN1EU	false
23.48.105.219	unknown	United States	20940	AKAMAI-ASN1EU	false
142.250.105.94	unknown	United States	15169	GOOGLEUS	false
13.226.100.103	unknown	United States	16509	AMAZON-02US	false
23.11.229.233	unknown	United States	20940	AKAMAI-ASN1EU	false
142.250.105.105	www.google.com	United States	15169	GOOGLEUS	false
23.209.188.17	unknown	United States	9498	BBIL-APBHARTIAirtelLtdIN	false
172.253.124.94	unknown	United States	15169	GOOGLEUS	false
104.17.27.92	widget.uservoice.com	United States	13335	CLOUDFLARENETUS	false
23.47.218.150	unknown	United States	16625	AKAMAI-ASUS	false
64.233.185.101	unknown	United States	15169	GOOGLEUS	false
63.140.39.9	adobetarget.data.adobedc.net	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.66.0.163	unknown	United States	13335	CLOUDFLARENETUS	false
44.196.228.180	unknown	United States	14618	AMAZON-AESUS	false
99.86.229.114	prod.adobeccstatic.com	United States	16509	AMAZON-02US	false
52.71.63.232	api.echosign.com	United States	14618	AMAZON-AESUS	false
18.207.85.246	unknown	United States	14618	AMAZON-AESUS	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
184.31.61.57	unknown	United States	16625	AKAMAI-ASUS	false
50.16.103.66	unknown	United States	14618	AMAZON-AESUS	false
3.233.142.19	unknown	United States	14618	AMAZON-AESUS	false
172.217.215.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

Contacted Domains

Name	IP	Active
dd20fzx9mj46f.cloudfront.net	3.161.193.61	true
privacycollector-production-457481513.us-east-1.elb.amazonaws.com	3.217.28.88	true
textbin.net	148.72.177.212	true
widget.uservoice.com	104.17.27.92	true
api.echosign.com	52.71.63.232	true
faststaynow.duckdns.org	46.183.222.118	true
geoplugin.net	178.237.33.50	true
cdn-sharing.adobecc.map.fastly.net	151.101.1.138	true
adobetarget.data.adobedc.net	63.140.39.9	true
adobe.com.ssl.d1.sc.omtrdc.net	63.140.39.130	true
www.google.com	142.250.105.105	true
by2.uservoice.com	104.17.27.92	true
prod.adobeccstatic.com	99.86.229.114	true
use.typekit.net	unknown	unknown
c.evidon.com	unknown	unknown
ims-na1.adobelogin.com	unknown	unknown
assets.adobedtm.com	unknown	unknown
l.betrad.com	unknown	unknown
dc-api-v2.adobecontent.io	unknown	unknown
p.typekit.net	unknown	unknown
dc-api.adobecontent.io	unknown	unknown
adobe.tt.omtrdc.net	unknown	unknown
cdn-sharing.adobecc.com	unknown	unknown
static.adobelogin.com	unknown	unknown
files-download2.acrocomcontent.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
about:blank	false		low

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp

URL Reputation: Label: phishing

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49899 version: TLS 1.2

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 148.72.177.212 443

Uses dynamic DNS services

Source: unknown

DNS query: name: faststaynow.duckdns.org

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: adobe.tt.omtrdc.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49899 version: TLS 1.2

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Blob-based file download detected

Source: C:\Users\user\Downloads\2023 Tax Organizer.zip

File download: blob:https://acrobat.adobe.com/2b8c944b-39d2-4efa-8686-d2e1adb6d166

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\SysWOW64\wscript.exe

Dropped file: EMPYA.ShellExecute APPDATA & "\VJQSJ.cmd", "", APPDATA, "", 0

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a0a-f192-11d4-a65f-0040963251e5}

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Yara signature match

Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.expl.evad.win@28/101@44/273

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-DRFJJD

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

File created: C:\Users\user\AppData\Local\Temp\Memory.vbs

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2012,i,12056640513929630974,10995804170337098686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2012,i,12056640513929630974,10995804170337098686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: g2m.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: secur32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: avicap32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: d3d9.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: samcli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: policymanager.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Persistence and Installation Behavior

Windows Shell Script Host drops VBS files

Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Chrome

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\WindowsServices-RDGVW.lnk
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\WindowsServices-RDGVW.lnk

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Chrome
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Chrome

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Window / User API: threadDelayed 9812

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep count: 78 > 30
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep time: -234000s >= -30000s
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep count: 9812 > 30
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep time: -29436000s >= -30000s

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 148.72.177.212 443

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-DRFJJD

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

ID:	1428438
Product:	CloudBasic
Start time:	23:35:54
Start date:	18.04.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\json[1].json	JSON data	334018F02CE31BCBB4864D602B557FE5	C6DE43E8D6B5C026C0B0A56A898A3F00B282B881	F70CE925C3923E25A5ADB7089E7EE752E771FBD073888ABFC426138C9094F1B3
C:\Users\user\AppData\Local\Temp\Memory.vbs	Unicode text, UTF-8 text, with CRLF line terminators	8F3213DD5A26F9FAF8B278B11C3C2C8F	E2AF8417A760EDBCAD8FF75BA7EED8F7BD653487	F90C2EC81FB78E657DC3D359BCF59A557D56DDC8E1B33E9B205707A221E21F36
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 20:36:28 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	021DE06528D4CFD6E59C446E3389F030	0CC4C25893F3320710C5D18DD918334829770A21	B0A9E21299F9BD75E25D62E2299FC959B4AA7B58182460A7F7BE3A0E01AF3E7D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 20:36:28 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	2D4BD60B0778FDAB47B02838B94D9275	919AD1AD1166CF368E776344A05BBD90C31C5C6B	6E3DF363CB2B328A679B56866EB42659F15A6A0568D7841D2A60E3700C3F4DB7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	A71307B64444C79029785EEDE244AB03	8E38DF17C07276B930DDCC5FCCA100C39F71614D	ADD2FB9D963033D8E3234377D8A0D37A3AC01D635D98D85E33443306CFE8CD73
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 20:36:28 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	2ACC9610576B07A4FC1E32584FFC38F3	E4EB34E6CE0A9D96DCBAB6099C590C21C27D3F8F	203077F1F7291D2CB03C03FD067A3AEFD80F64D82BFE0F06CF76E51C5E2539A8
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 20:36:28 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	622BC01F3B1C286E4BFC6F6F86107C2F	36B7E24A497737EF9572EE2207B4E4AC635CBF05	74CF3AC898D4FECAE6011F389C4A5E26C15D6BB5A51C1609EDF6FD7F603DCDF1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 20:36:28 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	A0669AA527977D3D0468AE06D5077904	3154574D6312C262E223E4BEDED059C702F88579	B57D0F9D627BE0D08CC1F6838E7EFC2F6BD6B0E780A1E366D4281F68BC613FFB
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FDNUA.vbs	ASCII text, with CRLF line terminators	0F6FB21DA68A3C96727F7B3F41C6396E	556AF81855F434E38AD4A48A99F1C026EE7490D8	5819DD543E8A14F37C805762DCD5A5D29D7DAD9FF8C16041605576CAB4FB2FD0
C:\Users\user\AppData\Roaming\WindowsServices\VJQSJ.cmd	ASCII text, with CRLF line terminators	98A00A7606758604E4AF1FFCD456465A	14F816305992F17A0C082F307D3F73AB94C1F859	B05C782898BE147FC51E30F958325CF4D0494A46EE37AE8BBE52D47202AA792E
C:\Users\user\Downloads\2023 Tax Organizer.zip (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	283F7EABB82F578F49510915C4B2BF4F	719DDEB335D1A6CE6D58826A363E249D974B82F7	BD8FF468B6FB4958059537257894153FC0CB9EB43F4A05C0B7C42DDD0FAC7DF9
C:\Users\user\Downloads\2023 Tax Organizer.zip.crdownload (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	283F7EABB82F578F49510915C4B2BF4F	719DDEB335D1A6CE6D58826A363E249D974B82F7	BD8FF468B6FB4958059537257894153FC0CB9EB43F4A05C0B7C42DDD0FAC7DF9
C:\Users\user\Downloads\853e3259-3419-4519-8671-df216c72cbf5.tmp	Zip archive data, at least v2.0 to extract, compression method=deflate	283F7EABB82F578F49510915C4B2BF4F	719DDEB335D1A6CE6D58826A363E249D974B82F7	BD8FF468B6FB4958059537257894153FC0CB9EB43F4A05C0B7C42DDD0FAC7DF9
Chrome Cache Entry: 180	Unicode text, UTF-8 text, with very long lines (65378), with no line terminators	C06229A781E83C19689A8E69F8490CA0	FC1EF66A9B1B2DE1143C4E4E04EA3A3D786F2BB8	F01574CC465CD6503734AD8FBF4A41054A9F6E1E2ABB0CA6D75CA1FFC1D13696
Chrome Cache Entry: 181	ASCII text, with very long lines (25528)	50693BDD5997F38C9F24FCABC7A7D6B4	47D6D476A248D57A5BC53596DFD4118E73D12315	2E7347BD752F9574CD766A969FB07EF3845084E6648F35F3A6C360106A22B9CC
Chrome Cache Entry: 182	ASCII text, with very long lines (28278)	42DF9A5567C3C99560A1CCC28DF62476	340F211624B18E5BA8992A3E3145A87DA14E556E	98EDDB8C9A965F96BD1518CC4547969C643D39AAA113A77A798828D742875911
Chrome Cache Entry: 183	ASCII text, with very long lines (65536), with no line terminators	8DE23108C8836398313D146E6CE71FCC	4A00B933092C9D00488FF39555263D383233EF68	7C55BACE96FF8D43C1D55BDB04A33D05186E6902A88BF2C4EB90E07BE5D1B7D2
Chrome Cache Entry: 184	ASCII text, with very long lines (7577)	A14505DD97019A129F678D3576650BE0	FA95E06B3D5CE939A495221A5C47C17E70224963	C364869FB939DE1903CED5B43092878FD11A03FF4C0EE2CF9715401352A343C9
Chrome Cache Entry: 185	Unicode text, UTF-8 text, with very long lines (65463)	24CD1EA752F4473C7A8D1C65783AE626	4B70D119EC4EE48AB74F4761A5B1BA4E574C63FD	710F5B945E5222B1AD77E025B9EDE5CCFD7AF8C34F7EBE8E3B5E130150C7843E
Chrome Cache Entry: 186	ASCII text, with very long lines (65536), with no line terminators	B4C8FF449B8A90A7FF6273A72FAF45FE	6CC31CE736727E5A834A8056EC18A9564C4CB310	2B52E160B0E68487C6190BEB887BA55DA796C4A513F0F90FBC39012E1B8FE402
Chrome Cache Entry: 187	ASCII text, with very long lines (65536), with no line terminators	8D7937B4E2A84255CDA8AF1AB85C2530	D11C25597F6C93BD288D6E94C4CEB61CCBF5493E	D9FE1F3B67D1CCDB83D78FE93C81A3961278B277D0007DC7ECD0A2A830C5B616
Chrome Cache Entry: 188	ASCII text, with very long lines (5906)	7F138CE1679B288CBF0DA64964D26EA7	BFFCF2F654E8C728A5AC472522E79964B63C4FDD	0F10B2C3E61121B99A186D14F9503C153B265C05191B5A57A616BED8FAFF1BAE
Chrome Cache Entry: 189	ASCII text, with very long lines (34857)	E4921B84A2B318984E39470926D1B64F	822ECCDF40D94851E516E11EAE067BD9CD9CC2D4	7D57D54D603A804BB51D0D3404FF5DC4CE9E069973FCD8C37B621CA4A7A9D41B
Chrome Cache Entry: 190	ASCII text, with very long lines (64886)	F1502FAC113B15D77B859C2478D9B136	754D39451C9EEB8A596A4AA830CAE09C783AA3E5	772DEA74AC13E776173863433338891757EA037A87735668D4908BC4143F650B
Chrome Cache Entry: 191	JSON data	3E090E08D95EEECF3E3500335B6903AC	585145AD697A1D80A591D499A3391B3D508C88D7	803B67EA86C7F9DE8043372B7D0C585EC0C7E06479EE79AE4D149E17A1A7D737
Chrome Cache Entry: 193	ASCII text, with very long lines (65536), with no line terminators	DE623D4444E16BF3BB4BD723A1BDE1C3	1124890E12672582E80C85D3F2BB31D24618C4C1	FFCF56342ABA3C9892167E2371A2EE3105D0C2FB9DA36C2F51AA4BC710B7B166
Chrome Cache Entry: 194	ASCII text, with very long lines (6130)	7ED0F1EF722F84DEFB521F8E88FB1F27	926EE03A0F189B7EB317AD870351071BA4B5F119	210B615F9F81400EFA0AB8DFC93A2241FC38359E2C4598347531580BFF8895E4
Chrome Cache Entry: 196	ASCII text, with very long lines (29715)	4BAD83408D238976D6A8EAA5C1534091	91E44C818D907199ACFE13423FC8A562491ABBB8	FB54EE5F77F197FC062E0B64531259D68BD0ECA0FFC7506229A1653CE4378DDD
Chrome Cache Entry: 197	ASCII text, with very long lines (56817), with no line terminators	3E49ABD556BF0FAAA6D165FE66146E90	7E265A832FD1D29F8402A251D921879E516038E3	D09069AC9ED675C69FF5C159CDA6F444A94085A1623F2AB91D6F4FB9F71E8879
Chrome Cache Entry: 198	Unicode text, UTF-8 text, with very long lines (65468)	4D898F0E68AF65735F36FC0F0EAE9BF9	555B542DF2ED960092F37B1F4937831897B12B78	0BB81B9FDE78C9EE50E977B64E7A34B9E9147F16F9612AA5D16B2B351FD99CF3
Chrome Cache Entry: 199	ASCII text, with very long lines (4557)	65B992FED2C7E849A349A8C195BF14F4	210472FF3A7DE182EB206A904D180C6CD4E119F6	07FD8D65CA2CAC79E3FD2A87165A70BC6507D5BDF93E3096F593392021798578
Chrome Cache Entry: 200	ASCII text, with very long lines (39619)	D6284BBD389AD6D0B939757A53A00DFE	D5908C2893DBC35EAA0D3549A8BDE49A4D530B42	28E590871A46B143D40A06AB8975CD2CF28A7A633AFF21CBE6843E7148D439A9
Chrome Cache Entry: 201	Unicode text, UTF-8 text, with very long lines (65535), with no line terminators	4470F9315DB3A68D48E8F5BCB6D705D0	4D5F7CD2C96A03E2F51A329E18ED60BEECBDF38F	1A0EE2511D089CB95D707FDE3FC4BA73CED3C37E262320BD57A40840EF21A217
Chrome Cache Entry: 202	ASCII text, with very long lines (9311)	05616E808988C14EEBB4984FE9364C64	4C5699E28D27295794B526D8E606F6CCE51CF2F7	FB6A1D4A46A4BA0F3ACF3C57DE19B77FA3ED0E7B0575E59F0C1FDD192207FA1F
Chrome Cache Entry: 203	ASCII text, with very long lines (65536), with no line terminators	39A90B43BEBE6B5026802C89A2320FBD	5A48FBD0E2777D8B555129079670B44C32A9A310	0DA8E9BC6704B91D6DF232D6AC6DA2C6B2AC1AE3408D6AF97FD217B62F440079
Chrome Cache Entry: 204	Unicode text, UTF-8 text, with very long lines (65462)	BF88EBC2F62709D5D19822E60D9DF084	BC1BC2FF92784ECC83F24C0CB6ABF9D77388EA61	A38701D1813B41487A1A9E4843927D0740C48B715A21168C800737D98B9C7F28
Chrome Cache Entry: 206	JSON data	CDD7A3CA40E28A36C01C6BF42E761142	A383642CC2DAFDD8CAE84576AEBEB71BA318E049	39A3E129FE972509880189EB29DB5BBF8C5DF9A2A9D9E39096DFC1EE2664FEF3
Chrome Cache Entry: 207	Unicode text, UTF-8 text, with very long lines (61156)	86619F47BBD99466E782F9441B4E0269	E0D9D0A2AB465B4354E0BA7CA305D3C8C6CB289B	A32B76D5BC417C7F87ABA59B0A92190FF784D1ED95C713DA45FEA966A5BD8E82
Chrome Cache Entry: 208	ASCII text, with very long lines (65536), with no line terminators	2F0CF55A85F4F96C749D5F0EF2EC5C9C	FACD44E5191762EBEE8B50056DD80C80E9EF5B6D	66F167E6EDB2D1537CA66B9F7885DB0440425D25DBA28E0259DC55236C71F864
Chrome Cache Entry: 209	ASCII text, with very long lines (12488)	BEAB5225A8663804A13E85F063BF69C2	9587F9F1D78665C9BF2CA0B61903199FD73D889D	2A04C8E6D27FA6FEF61D44551BE3CB90E64C3ADC0613F9E40AB4650AC326A6D0
Chrome Cache Entry: 210	ASCII text, with no line terminators	4F89EA9744C2B6ECC4D753D595C3476C	F66FBAAFD44235B0FECCD5B32FCA20BF9A1AF5DF	5574761A5E5183F3B7AB2D54E92982CCD09F40168CCB1ED002513477F5923967
Chrome Cache Entry: 211	ASCII text, with very long lines (65536), with no line terminators	401A085DAF469075D7D14659F7D3CE0E	415A2E3D83BE2696CC7EC147AE109B651F1119A6	E3FFA71CD501F9A1352A1CD7C5653ABB51538D47826FF18FD628361153DD73DB
Chrome Cache Entry: 212	Unicode text, UTF-8 text, with very long lines (45784)	81DAA23E045D600077CFD26D2E552ACA	3A9462D6980C6CF9EEF2FA0C15967187DF452348	B3EFAE7328044AEA692F6B271910DE16E0EE8D467F0DD075EF896F6F0FBEE162
Chrome Cache Entry: 213	ASCII text, with very long lines (65471)	8808193A57FE2A6612887520C16EEC36	F469995021145E38BE0BBEAD7A27B971A7F0CA3C	B1460F171C59A89931821EF65D402B28421F8AFF4D4B108D5773C49DDB547977
Chrome Cache Entry: 214	Web Open Font Format (Version 2), CFF, length 38004, version 1.0	8D3C19E4ECCD8530EFC9E39326E0FC52	083F5A3B3161541E62CE4002D9FD1731FCA640D2	5961262FD0CD492D39005E866EF7496F7DD4779EBD615A0FC5ADE35D4EEB8030
Chrome Cache Entry: 215	PNG image data, 567 x 320, 8-bit colormap, non-interlaced	022196D638C79559AB13292F2B267965	7A24B486AAD59342DAEDE8CEAAF36FF71D89DB86	10F169559D0032D5881637DA7DB08F205F6505E3FF7FE3BB34BFA93B44063B90
Chrome Cache Entry: 216	Unicode text, UTF-8 text, with very long lines (21104), with no line terminators	B83462B2A7E3D6DD6B41F3045DAA2E01	72F80B4D4E2C85E5F74297828B57EE4A890FCCBC	1657FA85D84CF9994D4DAA0DE23C37DEE69CF0824EA8FBD01C4B351F9A9418AE
Chrome Cache Entry: 217	Unicode text, UTF-8 text, with very long lines (25561), with no line terminators	5662D5391F8AEDC329614CDF043AFA05	F0987794D6B851C0DE7C1B5F4A831B8808AAF993	CFE0AAADA15914A70EFF5A5C941EB615C2898618864FEEA51109248BBAAC87BE
Chrome Cache Entry: 218	Web Open Font Format (Version 2), CFF, length 36388, version 1.0	B2FE0D9753FE193A7965B201CCEB9547	5F2D96F6BFD11797A53E9A2832CA5A2F53211556	A4DF96CBF8E2CAA44973A92CC15757C900EFC169039CE07E36F4E0FBC86B0216
Chrome Cache Entry: 219	ASCII text, with very long lines (65536), with no line terminators	575475A8EEC4D426637F5CA5944AAEB3	7B6E5D9C89B70A698FFCCC4523E0E1E1E9B5AA02	B4BE5F5E3FA97558B0E31D534F3CABB8EAFC89D3E64115623E46CCD312ABDBC7
Chrome Cache Entry: 220	ASCII text, with very long lines (2702)	7F3108510F7940CDEEB90D360AF50CD4	9A3FC7D3DC42845B5281DD8927F31C1EF3E6C2A5	92F896D26B82DE8C0912FA8562CA7D21C7D6496822B354A37F06C4CF53C27BE8
Chrome Cache Entry: 222	ASCII text	A8F31907CAE1CFE6508E91681726D9AA	145175C780ECDB6BF673DF3C0C0B0DC86C00A3E9	CAB13851A06215CD7ADC3251C7BB0F8CEE2BAE4FC160FE4DA20573C3B1063575
Chrome Cache Entry: 223	troff or preprocessor input, ASCII text, with very long lines (7656)	CA344841298EEDD995DB0268E6DAE183	31057C6C81ADEFA4796A7931AAA48553C5C09ABA	11F0D5166D3992C0FB0FDEF41A0A943C8BCF1FF631306C9A2330FF476D62ADF5
Chrome Cache Entry: 224	ASCII text, with very long lines (65469)	9BFAA7814A3D3120076446EA3B059FC6	43E9F4E1D4105D02FB4931A4EE77BD8A589A6852	CCF202D3FCDFD7B5B1727BFA096BC7093626DDCC60B78F58798639BF0805200B
Chrome Cache Entry: 226	ASCII text, with very long lines (65536), with no line terminators	D618E47710DA0F39F4BA79E0A5ADBA07	07ABEC43118DBC5FBE3623E661B2057EBFD0E462	8562E22220F33D32C216929AF253B87952D6F75B4A2119BDD2903224ABED1901
Chrome Cache Entry: 228	ASCII text, with very long lines (65471)	5C2C130BFC93D8122E519199BF2E9884	507559407265307B0D083BC1C9723BB2C2EB8061	1388EA5AD7A328CBA76DF00307D1DA7A3DD293551E4421BDBB09E6C77CCA0BA7
Chrome Cache Entry: 229	PNG image data, 567 x 320, 8-bit colormap, non-interlaced	F68227AD12254266749AA4DF255640F8	1A898EC16DA08C56E0DE6D6AC32BD6CEE1617D18	E93A12D29304F18C4AAC73566161E9AEC0D097C4895C369B880DB07139EE13C3
Chrome Cache Entry: 230	Unicode text, UTF-8 text, with very long lines (4112), with no line terminators	0469B2578169B1AC7C3E5C053DD41047	6828517F09D5C513D1F2EA552E3ED4CF69812708	531C647E2CB21D1CA4DD7FEFEEB7CA65DDC1C73F9747500B1ACE50C103E1E9E8
Chrome Cache Entry: 231	PNG image data, 567 x 320, 8-bit colormap, non-interlaced	06968C7FFD45D571E14F3424302B121F	097FF33BF0A8055BCD8C97E2CAC8C94180FE058B	4E747D58ED0F8E71D07110460B1CB77A083723BEAA980FA4B6AC4EB7A30004E4
Chrome Cache Entry: 232	ASCII text, with very long lines (65536), with no line terminators	B7217E773C763906183A945A2CF048CD	8F13E8AF21A50E12DDD46961E164FB8A808BE122	18CC7A22A9F6126B7BE1B533DAA10754C99ED7AC4E603728D0A8575E0000043D
Chrome Cache Entry: 233	Unicode text, UTF-8 text, with very long lines (55072)	4DD04062EF449C113DE9536573F87393	B29E9256596E21E3ADC69221B465E40D5F3EF80F	50C8F26607BD07CB1379D0AD03E984952A4B0D3F6B33BBE5704527D966D01C91
Chrome Cache Entry: 234	ASCII text, with very long lines (18357)	AAA07CE5DE984B193324F90E900BC932	6D5E90266FEF7DDF4F834596C11FCC05F4841821	E47AEBCC43D27C9D418644BFF649BC45E867AE545C3B98AF8B0B74DF1954AE7A
Chrome Cache Entry: 236	HTML document, ASCII text, with very long lines (7357), with no line terminators	8121E8EE50866B1E7AADA5B74842321F	7BDB37B3CCAB6CD97EF0D671C3D258DA0846384C	D42121B89AE8BEEA781B52445D7DF87C095EFE568DD9E03234E1B8F7EB48379A
Chrome Cache Entry: 237	ASCII text	03DB7A20C614CC6FE830EDD353B44904	A0883E893D819D325B9DFDA19F84D98C74BB90B6	CFC32A2207E7DCE665E2A6C8CE5C8AE5E3C83AA2BB2184277CE2F39E6838D597
Chrome Cache Entry: 238	ASCII text, with very long lines (5680)	7732A1C14DE3BB3C5B7732D7CABBEB8F	0C59F3CD6263F7124D64BBA208C8590ED4E0ED0C	8FA6E36B23EECFE699D1CCCB4839B1AEABAE7253D37F3D691B2423E8362C4837
Chrome Cache Entry: 239	Unicode text, UTF-8 text, with very long lines (47680), with no line terminators	5E06B64A46B09AD9B33F59B742313E04	D2DABD76F9F5CEBF959ABC51F2CC41510E1F45E8	33EC2021CDCEDB111FBBACC7C01D5EE95EAB8553BAB7FCA2596E5C7810BD4314
Chrome Cache Entry: 240	ASCII text, with very long lines (65459), with escape sequences	255139D1D249FDE98CDCA26E3791BE64	2043B0841F4A824072080D0C298B32FEE1F62D6F	5DD2A0F45279AC575349B8E0A415CA52696427A3D720FDE0CADCACDD664849BD
Chrome Cache Entry: 241	ASCII text, with very long lines (65536), with no line terminators	AD90691E0BE1EF33C9217C45B52052DD	C690A58B843A2AE9F2618DF696FE55460DD6E230	05F52C4AF7A42CDB474BDD244D4513B988EB031018DD80F997C29F30703FBF57
Chrome Cache Entry: 242	JSON data	A9959D6807C32EDE011D36FEAA192950	EF1533B8B12BEDE2762729DB4C162460CD7CB0CD	B5AADB17530020435ACCF0031ADF9B1CD4588127A0308CC9A153ABBD35D2F7A5
Chrome Cache Entry: 243	ASCII text, with very long lines (16355)	DFF189E880C4E2F5325CA196BF36798C	BA4B45A0C38A691D2C3CA42AE9F69464B77F0E66	8D00C332E0EB5700C72C8847AAB09EBA2C0C85860049DCF044BA5D6840EAF7FA
Chrome Cache Entry: 245	ASCII text, with very long lines (13451)	1ABB7EA172F81EA0A6F45090C7A4405F	6FA3FB56A3BF49401F58023E1B731E08FF8E52CC	9BD710DD0B9EF2EC987FF7C8691AB802B527BB6ADD1AAD92066CB16FC9AAF29E
Chrome Cache Entry: 246	Web Open Font Format (Version 2), CFF, length 39260, version 1.0	35234F8ADC394C536031C99D7AC8484F	12EBFA0153118FAB8664C3B8EF696B64F4EA8EB5	E024FB3F5D381FE02FA0BC243DC557D5DAFF401F1B89220EBDFDA89D5F99D207
Chrome Cache Entry: 247	JSON data	6194F3855050E2CA9FAEEC89DCE2BD62	6EEF6E66AED89E3F3071BBE28ED31DC2F18093AF	7065DCDC949E26A300EA566A13991BB182E8B51F6BD2916C5ECDDDEB8D8882CB
Chrome Cache Entry: 248	Unicode text, UTF-8 text, with very long lines (24641), with no line terminators	04A2EC68BC883EDB028F2727E5379808	5EBE223A7A40C855AACE143DD4B053CEBA4E80BD	7A580C19BFBF1A1BDC5F2EAD587334A007742E13B2009B6409E282935C3F9295
Chrome Cache Entry: 249	Unicode text, UTF-8 text, with very long lines (65467)	01F0DAAFE603B1CD88B47FDB0C70C33C	BEAAAD2ACA6AB7FFC09DE55D50518405E2C391CC	B8A4D31AC0B1E6260D77CC51A39FEED04551E3266BB86F2B644C7F4BAEA1577D
Chrome Cache Entry: 250	Web Open Font Format (Version 2), CFF, length 38708, version 1.0	9B7DF6DE861255C8E82EF093D507D3DD	BD72B5EABBDCE88F1701A76E1469744D85CE663F	4B6A2E9B5AE1532E496A30FF9680B75A554CBE0785B4B12BEABD729477869C22
Chrome Cache Entry: 251	MS Windows icon resource - 1 icon, 32x31, 32 bits/pixel	4A26FB17C70FAC7759F15343042B92C7	938635A39D4317DB4EADDCF656CBE1C076480B03	CA973938B04E790E78D7C1BB99A03082FAFBA976514E4D3FC6C4F1B16F525D90
Chrome Cache Entry: 253	Unicode text, UTF-8 text, with very long lines (65502), with no line terminators	6B246F5ECCC402432B1136C70122EF2C	4ACC3217E2251E0C3DAFC93E308035A9741E67C9	FF3507E6486D3C3E789A547E0AAF8788D9C9726A111BBBD891EC173B2782543C
Chrome Cache Entry: 254	JSON data	E268AA887EB1468619E5DC717C361026	B2B5008FFB9C0FB96616217FB6C389E32B73B173	D5F1391C49A5083F11246A786685D5842A4134F86690ABBFD1CFFB863385B492
Chrome Cache Entry: 255	JSON data	E78AAE29253C4894EF77C2263DF2AF0E	F4BB400456EB30EB1D131549B777F405CCC1D348	599A201A8BCF34F862C99ED2109D9DAB8083C751FA16AA2EE87382FDAC0E1042
Chrome Cache Entry: 256	Unicode text, UTF-8 text, with very long lines (59055), with no line terminators	5ACF996987600F91BBF7801FC330B2C2	9666DD883FAF0317BBDBEBBD394425958C2209D5	D3F492607F29A31F83AA49F58FE56E9511382189585570197C46B57BEAC19F13
Chrome Cache Entry: 257	ASCII text, with very long lines (59164)	6C00CC59CB6F12C8C5AB0D1DC29BA9DC	1A21FC8BABDB37575ABD21E3312BA9110F86C940	BFD00D1568F9A338956506B2E12A367D02B91379DE6E6F3F91F315831976923C
Chrome Cache Entry: 258	ASCII text, with very long lines (31583)	0AFC8C3F5C7FFCFDBF76822E073274CA	FCD749C951C907E2456FA577B89A4EAB54D431B2	7553CB516EA5288AC03CBED31516277263D56AAEA7FE36E1B3D11D50C7E5BC89
Chrome Cache Entry: 260	ASCII text, with very long lines (65536), with no line terminators	69B9B1CDE801025156FE9E44BA2E8EE9	B1C2D3C83CEB6DD8199A1268EC0842B0806CB72A	D76EF996759755130C1F2347A1A61C678B4884978085E6A62DBE3EB72A4C27F4
Chrome Cache Entry: 261	ASCII text, with very long lines (15446)	70A6359D4A7979FB5A703CD22AA2BEF1	54F87F633E143B07F6299FD7DC90B7773E1FC5E9	5521FEA334C99827F975ED1C3C563CFD58C7B816FEDF1C0EEAA24DA98C328C3D
Chrome Cache Entry: 262	GIF image data, version 89a, 1 x 1	81144D75B3E69E9AA2FA3E9D83A64D03	F0FBC60B50EDF5B2A0B76E0AA0537B76BF346FFC	9B9265C69A5CC295D1AB0D04E0273B3677DB1A6216CE2CCF4EFC8C277ED84B39
Chrome Cache Entry: 263	WebAssembly (wasm) binary module version 0x1 (MVP)	EC29E1E844E21D9CD7F901374CD05357	44F7EF30FF6D6214D2723B7F6DAF25A0DE6995C4	3750AF83918C0502BC43BD44B2DE178C0DE98CFF63F2BF064FC744EEEF3B3E09
Chrome Cache Entry: 264	JSON data	AD4CF40F1CD438B984F3E98CA6C7C3D9	0B770C1805211562D0C549A177D7B0AE07B94E41	DD70B72768BC3D5CFCCB22CDCFBEC4046D24E19B11DE716621F6B988BBD164E3
Chrome Cache Entry: 265	ASCII text, with very long lines (65469)	394977C192047E1F5CCA5BEE10C90B9D	DC02A1E1370102DF324BC464E1CDD8A113982B6B	E4B864E1EFFA51B0453F82E3A2D454C6501E5DB337D725D575F749E22EF7235D
Chrome Cache Entry: 266	Unicode text, UTF-8 text, with very long lines (2369)	CFE609917C9E7D4EED2C80563DED171B	2E5BBD88B040662BF8023FD6A9D55CC760008695	AD84B43FFD121E46AC4D2FA817B5863E4802C523BC3FB5E864DB28B3DB0E2514
Chrome Cache Entry: 267	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	82C01E70A7FF19468BAD984CC87E90CD	0E7848947B29FB6BF6E4AC58A68FD685A5DFBAB5	D0D536F99F92C69E893149B42F3D45BD369475DFDBFB6843E1DCCE3C5558B091
Chrome Cache Entry: 268	Web Open Font Format (Version 2), CFF, length 38976, version 1.0	3DC8E6938118F5FA1AF3E7A5A98BAA66	03CD9EE2CD0B7CD881FA75FF4A7369E68BD2154A	3D75BB0A01BC2FD0E963F6879634C371B205CA4DA67021B0F453592337DCC001
Chrome Cache Entry: 269	ASCII text, with very long lines (10418)	BCFD581331F6D0D1EF1A5EAA9E10D4CD	46251C6BFC0AEF65B7729AD77A36C4CAFCDAD4AB	F8C7CA2A6BAF89208C0A433DBEA58D40FD5799AD919195B5E02DFEC9D47531C7
Chrome Cache Entry: 271	ASCII text, with very long lines (65469)	AD45AD021158B250A53BCC3F741F3B08	BF5D7E1D7904F8BF24BAF6C138FBA456B77E8DE6	297C5409223368B92CD40E3518156E022EB881807F9521DC836F7D3361296A50
Chrome Cache Entry: 272	Unicode text, UTF-8 text, with very long lines (32252)	C036798A081B1D3C873B317EA139260B	A05AC7AC7E3C04F94252CD73E1F8E0B4E922DF41	3FF9D5E5B8220661588A85FEDD0C93774BA612EA53F3C0F4532DF820CECC936A
Chrome Cache Entry: 273	HTML document, Unicode text, UTF-8 text, with very long lines (477)	C4FAE49271A918C2AC763B90C5376F18	8D59008924DC85437490D5A223FEB5DDBCC669D6	15D373F0C2E0AC3927CEF7B8C9931666458D02FD22192B01ECA9158D787FC594
Chrome Cache Entry: 274	JSON data	C288CFEF81281F59C6053E78E0707B43	0718F2186252511B4CE3DC95D7EF2539D27C7994	4A4DD5F47A9897B639EBD9D7142D38D596BBE4F7DC9E2BAD87FBBD7D93C87206
Chrome Cache Entry: 276	ASCII text, with very long lines (29244)	C3244B94BB82B3C7923D119FE3BB0DB1	157E8A9684045ED856A6D0CF7B8B1415A51D88D1	534AA2D2F9687A6CAAEEE531267A5DBB33B0C56CFDEE805DBEFA314DF2B8CF1D
Chrome Cache Entry: 277	PNG image data, 567 x 320, 8-bit colormap, non-interlaced	5B8C30495BD157C377BEC29396AEE6F3	8D0C06676BB602D55A6133A0C9966794E5EACF75	63CB5314DB63D5CD2F24DA33EF66506B438933D4CE0ACAD9299AA88985D55917
Chrome Cache Entry: 278	PNG image data, 567 x 320, 8-bit colormap, non-interlaced	D35D9AD7A044121ADBA1407BA81D8D86	A520AFFC9EFFD5128B7B9BBCF1DCA7FD1D5FA914	B9995DE4418ECDA54965D1B84A65111A34DAA1F558F247BE8B95043A3A02C0CC
Chrome Cache Entry: 279	Web Open Font Format (Version 2), CFF, length 38948, version 1.0	8CF9CE13F6FE0205F4EAAC49FA17B681	2CEF6CD00A2D4A5CD5E0AB6F00042A70F1B73756	85257E2624BBB138582821CEB2F8B18C7B4FB43D26C1BCBFD5155CA81B55CC69
Chrome Cache Entry: 280	HTML document, ASCII text, with very long lines (30833)	68E6ACA7A55A060C7BB1665EA39E4AF2	3AFB638F70EEADB8940A075F2ADA74DC9946D477	E6C466CC9FD191E4CC7FF785113C20371EA6D2A3DB5C01F9E2E2EC266ED88535
Chrome Cache Entry: 282	ASCII text, with very long lines (65458)	1EA514B9E5C7EE2629C4CA4F5EBD0150	E29E2620819C9ADE643BEEB04A1D232F401F5732	8CE78ED2B6AB2A332768ED925E9AB53D35D9E989E02050A98ECC20E8D09FF4BD

Windows Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

Compliance

Networking

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Compliance

Networking

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5

Malware Threat Intel
Provided by