Windows Analysis Report
lmg1_Mlakaifa443456.vbs

Overview

General Information

Sample name: lmg1_Mlakaifa443456.vbs
Analysis ID: 1431185
MD5: ade48125e600ea0434a894e7c5131462
SHA1: 8b5e29fc3d490ebcba5295332c601d8165a67ec5
SHA256: 2f7971748b7db79bdd724861d1b463b0489b790b9e60e733dea409f73abf9539
Tags: HUNvbs
Infos:

Detection

AsyncRAT, DcRat, Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
Name Description Attribution Blogpost URLs Link
DCRat DCRat is a typical RAT that has been around since at least June 2019. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: lmg1_Mlakaifa443456.vbs Avira: detected
Antivirus detection for URL or domain
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Found malware configuration
Source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "139.99.133.66:4444:0", "Assigned name": "ADFLY", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "asasasas-SEG6JT", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack Malware Configuration Extractor: AsyncRAT {"Ports": ["6666"], "Server": ["139.99.133.66"], "Mutex": "MIGUELANGELES", "Certificate": "MIICKzCCAZSgAwIBAgIVAO5NCNVriIgVqdmZuiqdaFkGqjLvMA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2FzYXNhc2ExEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMzA3MDQxMzM1NTVaFw0zNDA0MTIxMzM1NTVaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCB82Ur6soO7/5apLmyoS9issJODa4S2r9uXXSHnwNbxCISNhPMELugVRoPjyUDUW4n1Fk01iBzGqSOwgQ9lAMbkbpzB+w9E5EpaHThe4KVOEhhL5dLGojfNgvbD3URbOIgpzRgkJf2x8wigUMRLBR1fYytIOWAbL3y9rwAXGlnxwIDAQABozIwMDAdBgNVHQ4EFgQUT1sA15K/oe8QOOxFi7To7KxJB/MwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQAZ+eiDeOgMA0GmKyVtNdthd/UbaqT49UyogROnA13GWYKSSOgs8BYLv/G/anZvkI72fR3/RF1jiSHuPwgqFetcHE6po6u5vRPho4yLVHGOPy8PtoxHiCHPOkORnHUGDTrs8HuSOkQpXyOgRXbLcVtVIbcfBFns3UKHcJ7IO0tuBA==", "Server Signature": "N3pZ2YCPJotv4dO0p9r4yZEeDnvpp9s/wXezrLSSJXN20FTY+KcXcOXJBRQV13FUX0FmBygTW0WXV3x9TGBjM7Nv//rhhRRRW37HV7bBW576W+8wt5cQpEzjMa5sPAAojC48387uRm7G9EfI2GVf5h3nL8PFY9Kvhbt1sQWDbvI="}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dynwrapx.dll ReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: lmg1_Mlakaifa443456.vbs ReversingLabs: Detection: 26%
Yara detected Remcos RAT
Source: Yara match File source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2306410441.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2465197293.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2318995170.0000000003537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2453487662.0000000003017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3307138781.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2427511925.0000000002B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2441743999.00000000029F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: winhlp32.exe PID: 6540, type: MEMORYSTR
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\winhlp32.exe Code function: 17_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 17_2_00433837
Source: C:\Windows\winhlp32.exe Code function: 19_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 19_2_00433837
Source: C:\Windows\winhlp32.exe Code function: 21_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 21_2_00433837
Source: C:\Windows\winhlp32.exe Code function: 23_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 23_2_00433837
Source: C:\Windows\winhlp32.exe Code function: 27_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 27_2_00433837
Source: winhlp32.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\winhlp32.exe Code function: 17_2_004074FD _wcslen,CoGetObject, 17_2_004074FD
Source: C:\Windows\winhlp32.exe Code function: 19_2_004074FD _wcslen,CoGetObject, 19_2_004074FD
Source: C:\Windows\winhlp32.exe Code function: 21_2_004074FD _wcslen,CoGetObject, 21_2_004074FD
Source: C:\Windows\winhlp32.exe Code function: 23_2_004074FD _wcslen,CoGetObject, 23_2_004074FD
Source: C:\Windows\winhlp32.exe Code function: 27_2_004074FD _wcslen,CoGetObject, 27_2_004074FD
Source: Binary string: C:\Users\28718\Documents\GitHub\DcRat\Binaries\Release\Plugins\SendFile.pdb source: RegAsm.exe, 00000004.00000002.3319084811.0000000005F20000.00000004.08000000.00040000.00000000.sdmp
Source: C:\Windows\winhlp32.exe Code function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_00409253
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 17_2_0041C291
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 17_2_0040C34D
Source: C:\Windows\winhlp32.exe Code function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_00409665
Source: C:\Windows\winhlp32.exe Code function: 17_2_0044E879 FindFirstFileExA, 17_2_0044E879
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 17_2_0040880C
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040783C FindFirstFileW,FindNextFileW, 17_2_0040783C
Source: C:\Windows\winhlp32.exe Code function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 17_2_00419AF5
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0040BD37
Source: C:\Windows\winhlp32.exe Code function: 19_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 19_2_00409253
Source: C:\Windows\winhlp32.exe Code function: 19_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 19_2_0041C291
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 19_2_0040C34D
Source: C:\Windows\winhlp32.exe Code function: 19_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 19_2_00409665
Source: C:\Windows\winhlp32.exe Code function: 19_2_0044E879 FindFirstFileExA, 19_2_0044E879
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 19_2_0040880C
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040783C FindFirstFileW,FindNextFileW, 19_2_0040783C
Source: C:\Windows\winhlp32.exe Code function: 19_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 19_2_00419AF5
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 19_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 19_2_0040BD37
Source: C:\Windows\winhlp32.exe Code function: 21_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 21_2_00409253
Source: C:\Windows\winhlp32.exe Code function: 21_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 21_2_0041C291
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 21_2_0040C34D
Source: C:\Windows\winhlp32.exe Code function: 21_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 21_2_00409665
Source: C:\Windows\winhlp32.exe Code function: 21_2_0044E879 FindFirstFileExA, 21_2_0044E879
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 21_2_0040880C
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040783C FindFirstFileW,FindNextFileW, 21_2_0040783C
Source: C:\Windows\winhlp32.exe Code function: 21_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 21_2_00419AF5
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 21_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 21_2_0040BD37
Source: C:\Windows\winhlp32.exe Code function: 23_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 23_2_00409253
Source: C:\Windows\winhlp32.exe Code function: 23_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 23_2_0041C291
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 23_2_0040C34D
Source: C:\Windows\winhlp32.exe Code function: 23_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 23_2_00409665
Source: C:\Windows\winhlp32.exe Code function: 23_2_0044E879 FindFirstFileExA, 23_2_0044E879
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 23_2_0040880C
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040783C FindFirstFileW,FindNextFileW, 23_2_0040783C
Source: C:\Windows\winhlp32.exe Code function: 23_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 23_2_00419AF5
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 23_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 23_2_0040BD37
Source: C:\Windows\winhlp32.exe Code function: 27_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 27_2_00409253
Source: C:\Windows\winhlp32.exe Code function: 27_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 27_2_0041C291
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 27_2_0040C34D
Source: C:\Windows\winhlp32.exe Code function: 27_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 27_2_00409665
Source: C:\Windows\winhlp32.exe Code function: 27_2_0044E879 FindFirstFileExA, 27_2_0044E879
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 27_2_0040880C
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040783C FindFirstFileW,FindNextFileW, 27_2_0040783C
Source: C:\Windows\winhlp32.exe Code function: 27_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 27_2_00419AF5
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 27_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 27_2_0040BD37
Source: C:\Windows\winhlp32.exe Code function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 17_2_00407C97
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\SysWOW64\wscript.exe Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 139.99.133.66:6666 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.5:49715 -> 139.99.133.66:4444
Source: Traffic Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 139.99.133.66:4444 -> 192.168.2.5:49715
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 139.99.133.66
Potential malicious VBS script found (has network functionality)
Source: Initial file: BinaryStream.SaveToFile FILE_NAME
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 139.99.133.66:6666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: unknown TCP traffic detected without corresponding DNS query: 139.99.133.66
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 17_2_0041B380
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: RegAsm.exe, 00000004.00000002.3306976580.0000000001121000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enqN
Source: winhlp32.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: RegAsm.exe, 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
Contains functionality to register a low level keyboard hook
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 17_2_0040A2B8
Contains functionality for read data from the clipboard
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 17_2_0040B70E
Contains functionality to modify clipboard data
Source: C:\Windows\winhlp32.exe Code function: 17_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 17_2_004168C1
Source: C:\Windows\winhlp32.exe Code function: 19_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 19_2_004168C1
Source: C:\Windows\winhlp32.exe Code function: 21_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 21_2_004168C1
Source: C:\Windows\winhlp32.exe Code function: 23_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 23_2_004168C1
Source: C:\Windows\winhlp32.exe Code function: 27_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 27_2_004168C1
Contains functionality to read the clipboard data
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 17_2_0040B70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 17_2_0040A3E0

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2306410441.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2465197293.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2318995170.0000000003537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2453487662.0000000003017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3307138781.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2427511925.0000000002B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2441743999.00000000029F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: winhlp32.exe PID: 6540, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041C9E2 SystemParametersInfoW, 17_2_0041C9E2
Source: C:\Windows\winhlp32.exe Code function: 19_2_0041C9E2 SystemParametersInfoW, 19_2_0041C9E2
Source: C:\Windows\winhlp32.exe Code function: 21_2_0041C9E2 SystemParametersInfoW, 21_2_0041C9E2
Source: C:\Windows\winhlp32.exe Code function: 23_2_0041C9E2 SystemParametersInfoW, 23_2_0041C9E2
Source: C:\Windows\winhlp32.exe Code function: 27_2_0041C9E2 SystemParametersInfoW, 27_2_0041C9E2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.3316092029.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.2081271482.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000006.00000002.2078678717.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000004.00000002.3309788726.0000000003118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000004.00000002.3309788726.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.2085488605.0000000005756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.2081271482.00000000032A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.2085289507.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.2085289507.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 3160, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Potential malicious VBS script found (suspicious strings)
Source: Initial file: tte.Register "kernel32.dll", "VirtualAlloc", LCase("i=puuu"), LCase("r=p")
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}
Source: C:\Windows\System32\wscript.exe COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}
Wscript called in batch mode (surpress errors)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_2_05660054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 2_2_05660054
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_2_05660000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 2_2_05660000
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_2_05E30054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 2_2_05E30054
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_2_05E30000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 2_2_05E30000
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_2_05E3003C CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 2_2_05E3003C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_2_05EC0054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 2_2_05EC0054
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_2_05EC0000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 2_2_05EC0000
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_2_06230054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 2_2_06230054
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_2_06230000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 2_2_06230000
Contains functionality to shutdown / reboot the system
Source: C:\Windows\winhlp32.exe Code function: 17_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 17_2_004167B4
Source: C:\Windows\winhlp32.exe Code function: 19_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 19_2_004167B4
Source: C:\Windows\winhlp32.exe Code function: 21_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 21_2_004167B4
Source: C:\Windows\winhlp32.exe Code function: 23_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 23_2_004167B4
Source: C:\Windows\winhlp32.exe Code function: 27_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 27_2_004167B4
Detected potential crypto function
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9F5D 2_3_051A9F5D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9FD1 2_3_051A9FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_02D665D0 4_2_02D665D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_02D66EA0 4_2_02D66EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_02D66288 4_2_02D66288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_02D6B590 4_2_02D6B590
Source: C:\Windows\winhlp32.exe Code function: 17_2_0043E0CC 17_2_0043E0CC
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041F0FA 17_2_0041F0FA
Source: C:\Windows\winhlp32.exe Code function: 17_2_00454159 17_2_00454159
Source: C:\Windows\winhlp32.exe Code function: 17_2_00438168 17_2_00438168
Source: C:\Windows\winhlp32.exe Code function: 17_2_004461F0 17_2_004461F0
Source: C:\Windows\winhlp32.exe Code function: 17_2_0043E2FB 17_2_0043E2FB
Source: C:\Windows\winhlp32.exe Code function: 17_2_0045332B 17_2_0045332B
Source: C:\Windows\winhlp32.exe Code function: 17_2_0042739D 17_2_0042739D
Source: C:\Windows\winhlp32.exe Code function: 17_2_004374E6 17_2_004374E6
Source: C:\Windows\winhlp32.exe Code function: 17_2_0043E558 17_2_0043E558
Source: C:\Windows\winhlp32.exe Code function: 17_2_00438770 17_2_00438770
Source: C:\Windows\winhlp32.exe Code function: 17_2_004378FE 17_2_004378FE
Source: C:\Windows\winhlp32.exe Code function: 17_2_00433946 17_2_00433946
Source: C:\Windows\winhlp32.exe Code function: 17_2_0044D9C9 17_2_0044D9C9
Source: C:\Windows\winhlp32.exe Code function: 17_2_00427A46 17_2_00427A46
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041DB62 17_2_0041DB62
Source: C:\Windows\winhlp32.exe Code function: 17_2_00427BAF 17_2_00427BAF
Source: C:\Windows\winhlp32.exe Code function: 17_2_00437D33 17_2_00437D33
Source: C:\Windows\winhlp32.exe Code function: 17_2_00435E5E 17_2_00435E5E
Source: C:\Windows\winhlp32.exe Code function: 17_2_00426E0E 17_2_00426E0E
Source: C:\Windows\winhlp32.exe Code function: 17_2_0043DE9D 17_2_0043DE9D
Source: C:\Windows\winhlp32.exe Code function: 17_2_00413FCA 17_2_00413FCA
Source: C:\Windows\winhlp32.exe Code function: 17_2_00436FEA 17_2_00436FEA
Source: C:\Windows\winhlp32.exe Code function: 19_2_0043E0CC 19_2_0043E0CC
Source: C:\Windows\winhlp32.exe Code function: 19_2_0041F0FA 19_2_0041F0FA
Source: C:\Windows\winhlp32.exe Code function: 19_2_00454159 19_2_00454159
Source: C:\Windows\winhlp32.exe Code function: 19_2_00438168 19_2_00438168
Source: C:\Windows\winhlp32.exe Code function: 19_2_004461F0 19_2_004461F0
Source: C:\Windows\winhlp32.exe Code function: 19_2_0043E2FB 19_2_0043E2FB
Source: C:\Windows\winhlp32.exe Code function: 19_2_0045332B 19_2_0045332B
Source: C:\Windows\winhlp32.exe Code function: 19_2_0042739D 19_2_0042739D
Source: C:\Windows\winhlp32.exe Code function: 19_2_004374E6 19_2_004374E6
Source: C:\Windows\winhlp32.exe Code function: 19_2_0043E558 19_2_0043E558
Source: C:\Windows\winhlp32.exe Code function: 19_2_00438770 19_2_00438770
Source: C:\Windows\winhlp32.exe Code function: 19_2_004378FE 19_2_004378FE
Source: C:\Windows\winhlp32.exe Code function: 19_2_00433946 19_2_00433946
Source: C:\Windows\winhlp32.exe Code function: 19_2_0044D9C9 19_2_0044D9C9
Source: C:\Windows\winhlp32.exe Code function: 19_2_00427A46 19_2_00427A46
Source: C:\Windows\winhlp32.exe Code function: 19_2_0041DB62 19_2_0041DB62
Source: C:\Windows\winhlp32.exe Code function: 19_2_00427BAF 19_2_00427BAF
Source: C:\Windows\winhlp32.exe Code function: 19_2_00437D33 19_2_00437D33
Source: C:\Windows\winhlp32.exe Code function: 19_2_00435E5E 19_2_00435E5E
Source: C:\Windows\winhlp32.exe Code function: 19_2_00426E0E 19_2_00426E0E
Source: C:\Windows\winhlp32.exe Code function: 19_2_0043DE9D 19_2_0043DE9D
Source: C:\Windows\winhlp32.exe Code function: 19_2_00413FCA 19_2_00413FCA
Source: C:\Windows\winhlp32.exe Code function: 19_2_00436FEA 19_2_00436FEA
Source: C:\Windows\winhlp32.exe Code function: 21_2_0043E0CC 21_2_0043E0CC
Source: C:\Windows\winhlp32.exe Code function: 21_2_0041F0FA 21_2_0041F0FA
Source: C:\Windows\winhlp32.exe Code function: 21_2_00454159 21_2_00454159
Source: C:\Windows\winhlp32.exe Code function: 21_2_00438168 21_2_00438168
Source: C:\Windows\winhlp32.exe Code function: 21_2_004461F0 21_2_004461F0
Source: C:\Windows\winhlp32.exe Code function: 21_2_0043E2FB 21_2_0043E2FB
Source: C:\Windows\winhlp32.exe Code function: 21_2_0045332B 21_2_0045332B
Source: C:\Windows\winhlp32.exe Code function: 21_2_0042739D 21_2_0042739D
Source: C:\Windows\winhlp32.exe Code function: 21_2_004374E6 21_2_004374E6
Source: C:\Windows\winhlp32.exe Code function: 21_2_0043E558 21_2_0043E558
Source: C:\Windows\winhlp32.exe Code function: 21_2_00438770 21_2_00438770
Source: C:\Windows\winhlp32.exe Code function: 21_2_004378FE 21_2_004378FE
Source: C:\Windows\winhlp32.exe Code function: 21_2_00433946 21_2_00433946
Source: C:\Windows\winhlp32.exe Code function: 21_2_0044D9C9 21_2_0044D9C9
Source: C:\Windows\winhlp32.exe Code function: 21_2_00427A46 21_2_00427A46
Source: C:\Windows\winhlp32.exe Code function: 21_2_0041DB62 21_2_0041DB62
Source: C:\Windows\winhlp32.exe Code function: 21_2_00427BAF 21_2_00427BAF
Source: C:\Windows\winhlp32.exe Code function: 21_2_00437D33 21_2_00437D33
Source: C:\Windows\winhlp32.exe Code function: 21_2_00435E5E 21_2_00435E5E
Source: C:\Windows\winhlp32.exe Code function: 21_2_00426E0E 21_2_00426E0E
Source: C:\Windows\winhlp32.exe Code function: 21_2_0043DE9D 21_2_0043DE9D
Source: C:\Windows\winhlp32.exe Code function: 21_2_00413FCA 21_2_00413FCA
Source: C:\Windows\winhlp32.exe Code function: 21_2_00436FEA 21_2_00436FEA
Source: C:\Windows\winhlp32.exe Code function: 23_2_0043E0CC 23_2_0043E0CC
Source: C:\Windows\winhlp32.exe Code function: 23_2_0041F0FA 23_2_0041F0FA
Source: C:\Windows\winhlp32.exe Code function: 23_2_00454159 23_2_00454159
Source: C:\Windows\winhlp32.exe Code function: 23_2_00438168 23_2_00438168
Source: C:\Windows\winhlp32.exe Code function: 23_2_004461F0 23_2_004461F0
Source: C:\Windows\winhlp32.exe Code function: 23_2_0043E2FB 23_2_0043E2FB
Source: C:\Windows\winhlp32.exe Code function: 23_2_0045332B 23_2_0045332B
Source: C:\Windows\winhlp32.exe Code function: 23_2_0042739D 23_2_0042739D
Source: C:\Windows\winhlp32.exe Code function: 23_2_004374E6 23_2_004374E6
Source: C:\Windows\winhlp32.exe Code function: 23_2_0043E558 23_2_0043E558
Source: C:\Windows\winhlp32.exe Code function: 23_2_00438770 23_2_00438770
Source: C:\Windows\winhlp32.exe Code function: 23_2_004378FE 23_2_004378FE
Source: C:\Windows\winhlp32.exe Code function: 23_2_00433946 23_2_00433946
Source: C:\Windows\winhlp32.exe Code function: 23_2_0044D9C9 23_2_0044D9C9
Source: C:\Windows\winhlp32.exe Code function: 23_2_00427A46 23_2_00427A46
Source: C:\Windows\winhlp32.exe Code function: 23_2_0041DB62 23_2_0041DB62
Source: C:\Windows\winhlp32.exe Code function: 23_2_00427BAF 23_2_00427BAF
Source: C:\Windows\winhlp32.exe Code function: 23_2_00437D33 23_2_00437D33
Source: C:\Windows\winhlp32.exe Code function: 23_2_00435E5E 23_2_00435E5E
Source: C:\Windows\winhlp32.exe Code function: 23_2_00426E0E 23_2_00426E0E
Source: C:\Windows\winhlp32.exe Code function: 23_2_0043DE9D 23_2_0043DE9D
Source: C:\Windows\winhlp32.exe Code function: 23_2_00413FCA 23_2_00413FCA
Source: C:\Windows\winhlp32.exe Code function: 23_2_00436FEA 23_2_00436FEA
Source: C:\Windows\winhlp32.exe Code function: 27_2_0043E0CC 27_2_0043E0CC
Source: C:\Windows\winhlp32.exe Code function: 27_2_0041F0FA 27_2_0041F0FA
Source: C:\Windows\winhlp32.exe Code function: 27_2_00454159 27_2_00454159
Source: C:\Windows\winhlp32.exe Code function: 27_2_00438168 27_2_00438168
Source: C:\Windows\winhlp32.exe Code function: 27_2_004461F0 27_2_004461F0
Source: C:\Windows\winhlp32.exe Code function: 27_2_0043E2FB 27_2_0043E2FB
Source: C:\Windows\winhlp32.exe Code function: 27_2_0045332B 27_2_0045332B
Source: C:\Windows\winhlp32.exe Code function: 27_2_0042739D 27_2_0042739D
Source: C:\Windows\winhlp32.exe Code function: 27_2_004374E6 27_2_004374E6
Source: C:\Windows\winhlp32.exe Code function: 27_2_0043E558 27_2_0043E558
Source: C:\Windows\winhlp32.exe Code function: 27_2_00438770 27_2_00438770
Source: C:\Windows\winhlp32.exe Code function: 27_2_004378FE 27_2_004378FE
Source: C:\Windows\winhlp32.exe Code function: 27_2_00433946 27_2_00433946
Source: C:\Windows\winhlp32.exe Code function: 27_2_0044D9C9 27_2_0044D9C9
Source: C:\Windows\winhlp32.exe Code function: 27_2_00427A46 27_2_00427A46
Source: C:\Windows\winhlp32.exe Code function: 27_2_0041DB62 27_2_0041DB62
Source: C:\Windows\winhlp32.exe Code function: 27_2_00427BAF 27_2_00427BAF
Source: C:\Windows\winhlp32.exe Code function: 27_2_00437D33 27_2_00437D33
Source: C:\Windows\winhlp32.exe Code function: 27_2_00435E5E 27_2_00435E5E
Source: C:\Windows\winhlp32.exe Code function: 27_2_00426E0E 27_2_00426E0E
Source: C:\Windows\winhlp32.exe Code function: 27_2_0043DE9D 27_2_0043DE9D
Source: C:\Windows\winhlp32.exe Code function: 27_2_00413FCA 27_2_00413FCA
Source: C:\Windows\winhlp32.exe Code function: 27_2_00436FEA 27_2_00436FEA
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\dynwrapx.dll 4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379
Found potential string decryption / allocating functions
Source: C:\Windows\winhlp32.exe Code function: String function: 00402213 appears 95 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0040159A appears 35 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0040159F appears 35 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0043A34C appears 40 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00402218 appears 40 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00407200 appears 55 times
Source: C:\Windows\winhlp32.exe Code function: String function: 004052FD appears 80 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00403093 appears 40 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00434E10 appears 270 times
Source: C:\Windows\winhlp32.exe Code function: String function: 004576B0 appears 32 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0040417E appears 115 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0040482D appears 35 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00402093 appears 250 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00434770 appears 205 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0040915B appears 40 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00409052 appears 40 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00401F86 appears 55 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00401E65 appears 170 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0040274D appears 45 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00401FAB appears 95 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0043C26E appears 70 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00411F67 appears 80 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0040C1D8 appears 45 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0043C0CF appears 65 times
Source: C:\Windows\winhlp32.exe Code function: String function: 004020DF appears 100 times
Source: C:\Windows\winhlp32.exe Code function: String function: 00457A28 appears 85 times
Source: C:\Windows\winhlp32.exe Code function: String function: 004484CA appears 90 times
Source: C:\Windows\winhlp32.exe Code function: String function: 004458D0 appears 140 times
Source: C:\Windows\winhlp32.exe Code function: String function: 004046F7 appears 85 times
Source: C:\Windows\winhlp32.exe Code function: String function: 0040223D appears 42 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: lmg1_Mlakaifa443456.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.3316092029.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.2081271482.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000006.00000002.2078678717.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000004.00000002.3309788726.0000000003118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000004.00000002.3309788726.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.2085488605.0000000005756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.2081271482.00000000032A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.2085289507.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000002.2085289507.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: RegAsm.exe PID: 3160, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Settings.cs Base64 encoded string: 'VEt2PmhXMMIt1dJJJECAz1WHnDL0wlv8IZt1vpqPNSFxB38K5Btmk1hTwcjn9han0ayQP0bB+Dh7QB7osZeYkA==', 'xd+Dai6+yRW6ujvs7vLc/cH9S9P/cTNYodhYagiqgL97VyapNynPnF0PTLKK2XHfmzvtJP1hDiiCDjCCbbR2gQ==', 'sMndhh2MvpuufroCmflUDuSwMQ+cOpIT+VS5R/tqUQcheLpWC3ZItPRcfQ5pnglAkiJsD3tpCmljZBvTe2tQmw==', 'pB01OnXWD+ngTP35Ii2u/7nr6IpExfhu+WCLM6omlGKD49lHckRODiv/tW01SnNvTobEOHUlz+Lm0QwPEFT6sg==', 'Kst/cpNW+stInyo+R7DQSM2o2em2NU3tslltNPKEbP0VufIxNIpr8zRAFAch4T0zWNHbhiNUVWo4k1z3WEVwaA==', 'mtRC3wTN5SvMmbJs9uQ1SY+OPyMC6gMCVuHBNAUrmIH+ww3t7CVwPp/OXhdZ5YiNclgAKmE7+7Lhumcv5vNALBO9qCqSauTILC9saRZ6ACXZyGf1Lmj48gVVjJvkOLQRzsxGGJbjZF6Asb83YaHLELMIT8pRILLAxbzoESgfMYDwAAdYw/Nq0qVAVAKJo2gF81yzR+Vb5ymN2hldxU61V8i2lKAhID/S/NhP6F30oKnyF60/3zQU4HnJ5p/ixOi/jtkbI8fXBYRpYkSRAJyBMwTnbM61ihr4dIxGApsBaD0FGMmrkgLw0nNMmxRoQNFOEsDWUZYM7fR4P645Wfmw85VPWOSgmIcuYyIYntXq4Ga7sbfBYu1SR0CDxYp/+bLafN/HMPsOdfaM3jwVSfv26u5j5rmdDs51u5R4L4Bs7Y2iW1p8/OUqJ/9/jDzzzJsv4xuj5WgoUA31ujTFJOQUE4+HP2yqxt9LfNkUO9dCD06oBSbXhM3veF8110H2edIxbrpBbrHbMeq62UWyaws9YXdwxoVcly2DA/LBRQYrIbqPiFBC12hCcF1AByQIlILMkz/u6W1f9tWWqcTa7r1oyX7YltZWqsDxUchQPseFvEawNpGtK7BcSuVW9MSUd2AzDau3mwL9GsrmbsOy/FolLieNVkjeBLLqRPJmWcIjlm+UNYE7/WVNzC3uxtyovWbng9VR/KvQaxnT7qbnXoiXZfBdCV+63p47Arv1upSkaeThXoXpNn0IDwryU1PmAA6v7BaLuLFxTISAXLUL1qRu9CMrpOD31VJcV+gbl+ipGdpKTqj58RyIMBiWubY8TUB4X07OmRbPXosP/QxrCKY/NtvTCjymKOel1Ldny4jKIcWyMB79SBIsPijR9NtercglA0VoTvGplAm454VOLz9Or+zYi3U92tPOowe49/NXlDYBGDXEuqiAYlvW++FymOq3LYrvxEaMIs8S6vQlw4NxSAiDLyQOpWVklkmvJzSXRQHOcah5aUx2sQ8lrvU3lGz9qmrfUfFKLDSWDvejZGDo2qjAl3KXlJkJzairiUzGkcU=', 'qvNv/3DmbVHdwqVdt0nmMBUqDltRMhUdpJZQY4E27P91AuhYn8MBn7MG0uaBbEksI2BCcwA9SOVdNVMyyZW+C6umVJzrelhDRRlJvIYXDzUnzDSejRJ+/otwdE5kmTxz9quBnXtDtKnR7XsRi+waktchFP9+P+O4BwlZ6ZZNxNTRjBIZrrTDEvMlOaCF8M92/VoTExAm8SfrchmqAmBb9UJxqz7Da58InXRt44cQe6j+AjzgkzKNfaiLo2CCmBZY0UWj+2RYheIM4lCnLtNCReavV/Vmb73Un6j/FN22EVg=', 'I1W+CS5O2xwz/mIgFmMBykN7Ee7ho5k8eZ5J6D3YW57aE97qFTUg61n37Li1o0Waqgg19N9QcGdAkEgW6qdgPw==', 'pkvWx9EB/VxDNg1SOI1aRC8cUUDiyfBqf387cZf1bY3ag1BHeM7d+UkRwd4aUVNnt8L65pephvmHsecapeuOSQ==', 'w10TUuQ/QqDCUD6gjZNbacB4b7EcTgPK5AdSg9KwZ7HU3xbacvwRw2NaAtvWQW2okZPgVBwhKrZHG02cp/i9cA==', 'qUiaaVr6ViVdUFy1GCSy/XIoHuDvFENF11hZNTsIxy0QAKLzULCEUoS3YIXYEprVKBqz5RLqqorfOcVVmT8kcw=='
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, NormalStartup.cs Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 2.2.wscript.exe.5670000.0.raw.unpack, Settings.cs Base64 encoded string: 'VEt2PmhXMMIt1dJJJECAz1WHnDL0wlv8IZt1vpqPNSFxB38K5Btmk1hTwcjn9han0ayQP0bB+Dh7QB7osZeYkA==', 'xd+Dai6+yRW6ujvs7vLc/cH9S9P/cTNYodhYagiqgL97VyapNynPnF0PTLKK2XHfmzvtJP1hDiiCDjCCbbR2gQ==', 'sMndhh2MvpuufroCmflUDuSwMQ+cOpIT+VS5R/tqUQcheLpWC3ZItPRcfQ5pnglAkiJsD3tpCmljZBvTe2tQmw==', 'pB01OnXWD+ngTP35Ii2u/7nr6IpExfhu+WCLM6omlGKD49lHckRODiv/tW01SnNvTobEOHUlz+Lm0QwPEFT6sg==', 'Kst/cpNW+stInyo+R7DQSM2o2em2NU3tslltNPKEbP0VufIxNIpr8zRAFAch4T0zWNHbhiNUVWo4k1z3WEVwaA==', 'mtRC3wTN5SvMmbJs9uQ1SY+OPyMC6gMCVuHBNAUrmIH+ww3t7CVwPp/OXhdZ5YiNclgAKmE7+7Lhumcv5vNALBO9qCqSauTILC9saRZ6ACXZyGf1Lmj48gVVjJvkOLQRzsxGGJbjZF6Asb83YaHLELMIT8pRILLAxbzoESgfMYDwAAdYw/Nq0qVAVAKJo2gF81yzR+Vb5ymN2hldxU61V8i2lKAhID/S/NhP6F30oKnyF60/3zQU4HnJ5p/ixOi/jtkbI8fXBYRpYkSRAJyBMwTnbM61ihr4dIxGApsBaD0FGMmrkgLw0nNMmxRoQNFOEsDWUZYM7fR4P645Wfmw85VPWOSgmIcuYyIYntXq4Ga7sbfBYu1SR0CDxYp/+bLafN/HMPsOdfaM3jwVSfv26u5j5rmdDs51u5R4L4Bs7Y2iW1p8/OUqJ/9/jDzzzJsv4xuj5WgoUA31ujTFJOQUE4+HP2yqxt9LfNkUO9dCD06oBSbXhM3veF8110H2edIxbrpBbrHbMeq62UWyaws9YXdwxoVcly2DA/LBRQYrIbqPiFBC12hCcF1AByQIlILMkz/u6W1f9tWWqcTa7r1oyX7YltZWqsDxUchQPseFvEawNpGtK7BcSuVW9MSUd2AzDau3mwL9GsrmbsOy/FolLieNVkjeBLLqRPJmWcIjlm+UNYE7/WVNzC3uxtyovWbng9VR/KvQaxnT7qbnXoiXZfBdCV+63p47Arv1upSkaeThXoXpNn0IDwryU1PmAA6v7BaLuLFxTISAXLUL1qRu9CMrpOD31VJcV+gbl+ipGdpKTqj58RyIMBiWubY8TUB4X07OmRbPXosP/QxrCKY/NtvTCjymKOel1Ldny4jKIcWyMB79SBIsPijR9NtercglA0VoTvGplAm454VOLz9Or+zYi3U92tPOowe49/NXlDYBGDXEuqiAYlvW++FymOq3LYrvxEaMIs8S6vQlw4NxSAiDLyQOpWVklkmvJzSXRQHOcah5aUx2sQ8lrvU3lGz9qmrfUfFKLDSWDvejZGDo2qjAl3KXlJkJzairiUzGkcU=', 'qvNv/3DmbVHdwqVdt0nmMBUqDltRMhUdpJZQY4E27P91AuhYn8MBn7MG0uaBbEksI2BCcwA9SOVdNVMyyZW+C6umVJzrelhDRRlJvIYXDzUnzDSejRJ+/otwdE5kmTxz9quBnXtDtKnR7XsRi+waktchFP9+P+O4BwlZ6ZZNxNTRjBIZrrTDEvMlOaCF8M92/VoTExAm8SfrchmqAmBb9UJxqz7Da58InXRt44cQe6j+AjzgkzKNfaiLo2CCmBZY0UWj+2RYheIM4lCnLtNCReavV/Vmb73Un6j/FN22EVg=', 'I1W+CS5O2xwz/mIgFmMBykN7Ee7ho5k8eZ5J6D3YW57aE97qFTUg61n37Li1o0Waqgg19N9QcGdAkEgW6qdgPw==', 'pkvWx9EB/VxDNg1SOI1aRC8cUUDiyfBqf387cZf1bY3ag1BHeM7d+UkRwd4aUVNnt8L65pephvmHsecapeuOSQ==', 'w10TUuQ/QqDCUD6gjZNbacB4b7EcTgPK5AdSg9KwZ7HU3xbacvwRw2NaAtvWQW2okZPgVBwhKrZHG02cp/i9cA==', 'qUiaaVr6ViVdUFy1GCSy/XIoHuDvFENF11hZNTsIxy0QAKLzULCEUoS3YIXYEprVKBqz5RLqqorfOcVVmT8kcw=='
Source: 2.2.wscript.exe.5670000.0.raw.unpack, NormalStartup.cs Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, Settings.cs Base64 encoded string: 'VEt2PmhXMMIt1dJJJECAz1WHnDL0wlv8IZt1vpqPNSFxB38K5Btmk1hTwcjn9han0ayQP0bB+Dh7QB7osZeYkA==', 'xd+Dai6+yRW6ujvs7vLc/cH9S9P/cTNYodhYagiqgL97VyapNynPnF0PTLKK2XHfmzvtJP1hDiiCDjCCbbR2gQ==', 'sMndhh2MvpuufroCmflUDuSwMQ+cOpIT+VS5R/tqUQcheLpWC3ZItPRcfQ5pnglAkiJsD3tpCmljZBvTe2tQmw==', 'pB01OnXWD+ngTP35Ii2u/7nr6IpExfhu+WCLM6omlGKD49lHckRODiv/tW01SnNvTobEOHUlz+Lm0QwPEFT6sg==', 'Kst/cpNW+stInyo+R7DQSM2o2em2NU3tslltNPKEbP0VufIxNIpr8zRAFAch4T0zWNHbhiNUVWo4k1z3WEVwaA==', 'mtRC3wTN5SvMmbJs9uQ1SY+OPyMC6gMCVuHBNAUrmIH+ww3t7CVwPp/OXhdZ5YiNclgAKmE7+7Lhumcv5vNALBO9qCqSauTILC9saRZ6ACXZyGf1Lmj48gVVjJvkOLQRzsxGGJbjZF6Asb83YaHLELMIT8pRILLAxbzoESgfMYDwAAdYw/Nq0qVAVAKJo2gF81yzR+Vb5ymN2hldxU61V8i2lKAhID/S/NhP6F30oKnyF60/3zQU4HnJ5p/ixOi/jtkbI8fXBYRpYkSRAJyBMwTnbM61ihr4dIxGApsBaD0FGMmrkgLw0nNMmxRoQNFOEsDWUZYM7fR4P645Wfmw85VPWOSgmIcuYyIYntXq4Ga7sbfBYu1SR0CDxYp/+bLafN/HMPsOdfaM3jwVSfv26u5j5rmdDs51u5R4L4Bs7Y2iW1p8/OUqJ/9/jDzzzJsv4xuj5WgoUA31ujTFJOQUE4+HP2yqxt9LfNkUO9dCD06oBSbXhM3veF8110H2edIxbrpBbrHbMeq62UWyaws9YXdwxoVcly2DA/LBRQYrIbqPiFBC12hCcF1AByQIlILMkz/u6W1f9tWWqcTa7r1oyX7YltZWqsDxUchQPseFvEawNpGtK7BcSuVW9MSUd2AzDau3mwL9GsrmbsOy/FolLieNVkjeBLLqRPJmWcIjlm+UNYE7/WVNzC3uxtyovWbng9VR/KvQaxnT7qbnXoiXZfBdCV+63p47Arv1upSkaeThXoXpNn0IDwryU1PmAA6v7BaLuLFxTISAXLUL1qRu9CMrpOD31VJcV+gbl+ipGdpKTqj58RyIMBiWubY8TUB4X07OmRbPXosP/QxrCKY/NtvTCjymKOel1Ldny4jKIcWyMB79SBIsPijR9NtercglA0VoTvGplAm454VOLz9Or+zYi3U92tPOowe49/NXlDYBGDXEuqiAYlvW++FymOq3LYrvxEaMIs8S6vQlw4NxSAiDLyQOpWVklkmvJzSXRQHOcah5aUx2sQ8lrvU3lGz9qmrfUfFKLDSWDvejZGDo2qjAl3KXlJkJzairiUzGkcU=', 'qvNv/3DmbVHdwqVdt0nmMBUqDltRMhUdpJZQY4E27P91AuhYn8MBn7MG0uaBbEksI2BCcwA9SOVdNVMyyZW+C6umVJzrelhDRRlJvIYXDzUnzDSejRJ+/otwdE5kmTxz9quBnXtDtKnR7XsRi+waktchFP9+P+O4BwlZ6ZZNxNTRjBIZrrTDEvMlOaCF8M92/VoTExAm8SfrchmqAmBb9UJxqz7Da58InXRt44cQe6j+AjzgkzKNfaiLo2CCmBZY0UWj+2RYheIM4lCnLtNCReavV/Vmb73Un6j/FN22EVg=', 'I1W+CS5O2xwz/mIgFmMBykN7Ee7ho5k8eZ5J6D3YW57aE97qFTUg61n37Li1o0Waqgg19N9QcGdAkEgW6qdgPw==', 'pkvWx9EB/VxDNg1SOI1aRC8cUUDiyfBqf387cZf1bY3ag1BHeM7d+UkRwd4aUVNnt8L65pephvmHsecapeuOSQ==', 'w10TUuQ/QqDCUD6gjZNbacB4b7EcTgPK5AdSg9KwZ7HU3xbacvwRw2NaAtvWQW2okZPgVBwhKrZHG02cp/i9cA==', 'qUiaaVr6ViVdUFy1GCSy/XIoHuDvFENF11hZNTsIxy0QAKLzULCEUoS3YIXYEprVKBqz5RLqqorfOcVVmT8kcw=='
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, NormalStartup.cs Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 2.2.wscript.exe.6240000.3.raw.unpack, Settings.cs Base64 encoded string: 'VEt2PmhXMMIt1dJJJECAz1WHnDL0wlv8IZt1vpqPNSFxB38K5Btmk1hTwcjn9han0ayQP0bB+Dh7QB7osZeYkA==', 'xd+Dai6+yRW6ujvs7vLc/cH9S9P/cTNYodhYagiqgL97VyapNynPnF0PTLKK2XHfmzvtJP1hDiiCDjCCbbR2gQ==', 'sMndhh2MvpuufroCmflUDuSwMQ+cOpIT+VS5R/tqUQcheLpWC3ZItPRcfQ5pnglAkiJsD3tpCmljZBvTe2tQmw==', 'pB01OnXWD+ngTP35Ii2u/7nr6IpExfhu+WCLM6omlGKD49lHckRODiv/tW01SnNvTobEOHUlz+Lm0QwPEFT6sg==', 'Kst/cpNW+stInyo+R7DQSM2o2em2NU3tslltNPKEbP0VufIxNIpr8zRAFAch4T0zWNHbhiNUVWo4k1z3WEVwaA==', 'mtRC3wTN5SvMmbJs9uQ1SY+OPyMC6gMCVuHBNAUrmIH+ww3t7CVwPp/OXhdZ5YiNclgAKmE7+7Lhumcv5vNALBO9qCqSauTILC9saRZ6ACXZyGf1Lmj48gVVjJvkOLQRzsxGGJbjZF6Asb83YaHLELMIT8pRILLAxbzoESgfMYDwAAdYw/Nq0qVAVAKJo2gF81yzR+Vb5ymN2hldxU61V8i2lKAhID/S/NhP6F30oKnyF60/3zQU4HnJ5p/ixOi/jtkbI8fXBYRpYkSRAJyBMwTnbM61ihr4dIxGApsBaD0FGMmrkgLw0nNMmxRoQNFOEsDWUZYM7fR4P645Wfmw85VPWOSgmIcuYyIYntXq4Ga7sbfBYu1SR0CDxYp/+bLafN/HMPsOdfaM3jwVSfv26u5j5rmdDs51u5R4L4Bs7Y2iW1p8/OUqJ/9/jDzzzJsv4xuj5WgoUA31ujTFJOQUE4+HP2yqxt9LfNkUO9dCD06oBSbXhM3veF8110H2edIxbrpBbrHbMeq62UWyaws9YXdwxoVcly2DA/LBRQYrIbqPiFBC12hCcF1AByQIlILMkz/u6W1f9tWWqcTa7r1oyX7YltZWqsDxUchQPseFvEawNpGtK7BcSuVW9MSUd2AzDau3mwL9GsrmbsOy/FolLieNVkjeBLLqRPJmWcIjlm+UNYE7/WVNzC3uxtyovWbng9VR/KvQaxnT7qbnXoiXZfBdCV+63p47Arv1upSkaeThXoXpNn0IDwryU1PmAA6v7BaLuLFxTISAXLUL1qRu9CMrpOD31VJcV+gbl+ipGdpKTqj58RyIMBiWubY8TUB4X07OmRbPXosP/QxrCKY/NtvTCjymKOel1Ldny4jKIcWyMB79SBIsPijR9NtercglA0VoTvGplAm454VOLz9Or+zYi3U92tPOowe49/NXlDYBGDXEuqiAYlvW++FymOq3LYrvxEaMIs8S6vQlw4NxSAiDLyQOpWVklkmvJzSXRQHOcah5aUx2sQ8lrvU3lGz9qmrfUfFKLDSWDvejZGDo2qjAl3KXlJkJzairiUzGkcU=', 'qvNv/3DmbVHdwqVdt0nmMBUqDltRMhUdpJZQY4E27P91AuhYn8MBn7MG0uaBbEksI2BCcwA9SOVdNVMyyZW+C6umVJzrelhDRRlJvIYXDzUnzDSejRJ+/otwdE5kmTxz9quBnXtDtKnR7XsRi+waktchFP9+P+O4BwlZ6ZZNxNTRjBIZrrTDEvMlOaCF8M92/VoTExAm8SfrchmqAmBb9UJxqz7Da58InXRt44cQe6j+AjzgkzKNfaiLo2CCmBZY0UWj+2RYheIM4lCnLtNCReavV/Vmb73Un6j/FN22EVg=', 'I1W+CS5O2xwz/mIgFmMBykN7Ee7ho5k8eZ5J6D3YW57aE97qFTUg61n37Li1o0Waqgg19N9QcGdAkEgW6qdgPw==', 'pkvWx9EB/VxDNg1SOI1aRC8cUUDiyfBqf387cZf1bY3ag1BHeM7d+UkRwd4aUVNnt8L65pephvmHsecapeuOSQ==', 'w10TUuQ/QqDCUD6gjZNbacB4b7EcTgPK5AdSg9KwZ7HU3xbacvwRw2NaAtvWQW2okZPgVBwhKrZHG02cp/i9cA==', 'qUiaaVr6ViVdUFy1GCSy/XIoHuDvFENF11hZNTsIxy0QAKLzULCEUoS3YIXYEprVKBqz5RLqqorfOcVVmT8kcw=='
Source: 2.2.wscript.exe.6240000.3.raw.unpack, NormalStartup.cs Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.wscript.exe.6240000.3.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.wscript.exe.6240000.3.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.RegAsm.exe.5f20000.0.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.RegAsm.exe.5f20000.0.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.wscript.exe.5670000.0.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.wscript.exe.5670000.0.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winVBS@61/10@1/2
Source: C:\Windows\winhlp32.exe Code function: 17_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 17_2_00417952
Source: C:\Windows\winhlp32.exe Code function: 19_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 19_2_00417952
Source: C:\Windows\winhlp32.exe Code function: 21_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 21_2_00417952
Source: C:\Windows\winhlp32.exe Code function: 23_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 23_2_00417952
Source: C:\Windows\winhlp32.exe Code function: 27_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 27_2_00417952
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 17_2_0040F474
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 17_2_0041B4A8
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 17_2_0041AA4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\asasasa4242asas
Source: C:\Windows\winhlp32.exe Mutant created: \Sessions\1\BaseNamedObjects\asasasas-SEG6JT
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Local\Temp\dynwrapx.dll Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: lmg1_Mlakaifa443456.vbs ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: zipfldr.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msxml3.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\winhlp32.exe Section loaded: winmm.dll
Source: C:\Windows\winhlp32.exe Section loaded: urlmon.dll
Source: C:\Windows\winhlp32.exe Section loaded: wininet.dll
Source: C:\Windows\winhlp32.exe Section loaded: iertutil.dll
Source: C:\Windows\winhlp32.exe Section loaded: srvcli.dll
Source: C:\Windows\winhlp32.exe Section loaded: netutils.dll
Source: C:\Windows\winhlp32.exe Section loaded: iphlpapi.dll
Source: C:\Windows\winhlp32.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\winhlp32.exe Section loaded: ncrypt.dll
Source: C:\Windows\winhlp32.exe Section loaded: ntasn1.dll
Source: C:\Windows\winhlp32.exe Section loaded: sspicli.dll
Source: C:\Windows\winhlp32.exe Section loaded: mswsock.dll
Source: C:\Windows\winhlp32.exe Section loaded: windows.storage.dll
Source: C:\Windows\winhlp32.exe Section loaded: wldp.dll
Source: C:\Windows\winhlp32.exe Section loaded: profapi.dll
Source: C:\Windows\winhlp32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\winhlp32.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\winhlp32.exe Section loaded: winhttp.dll
Source: C:\Windows\winhlp32.exe Section loaded: winnsi.dll
Source: C:\Windows\winhlp32.exe Section loaded: dnsapi.dll
Source: C:\Windows\winhlp32.exe Section loaded: rasadhlp.dll
Source: C:\Windows\winhlp32.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\winhlp32.exe Section loaded: winmm.dll
Source: C:\Windows\winhlp32.exe Section loaded: urlmon.dll
Source: C:\Windows\winhlp32.exe Section loaded: wininet.dll
Source: C:\Windows\winhlp32.exe Section loaded: iertutil.dll
Source: C:\Windows\winhlp32.exe Section loaded: srvcli.dll
Source: C:\Windows\winhlp32.exe Section loaded: netutils.dll
Source: C:\Windows\winhlp32.exe Section loaded: iphlpapi.dll
Source: C:\Windows\winhlp32.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\winhlp32.exe Section loaded: ncrypt.dll
Source: C:\Windows\winhlp32.exe Section loaded: ntasn1.dll
Source: C:\Windows\winhlp32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\winhlp32.exe Section loaded: winmm.dll
Source: C:\Windows\winhlp32.exe Section loaded: urlmon.dll
Source: C:\Windows\winhlp32.exe Section loaded: wininet.dll
Source: C:\Windows\winhlp32.exe Section loaded: iertutil.dll
Source: C:\Windows\winhlp32.exe Section loaded: srvcli.dll
Source: C:\Windows\winhlp32.exe Section loaded: netutils.dll
Source: C:\Windows\winhlp32.exe Section loaded: iphlpapi.dll
Source: C:\Windows\winhlp32.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\winhlp32.exe Section loaded: ncrypt.dll
Source: C:\Windows\winhlp32.exe Section loaded: ntasn1.dll
Source: C:\Windows\winhlp32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\winhlp32.exe Section loaded: winmm.dll
Source: C:\Windows\winhlp32.exe Section loaded: urlmon.dll
Source: C:\Windows\winhlp32.exe Section loaded: wininet.dll
Source: C:\Windows\winhlp32.exe Section loaded: iertutil.dll
Source: C:\Windows\winhlp32.exe Section loaded: srvcli.dll
Source: C:\Windows\winhlp32.exe Section loaded: netutils.dll
Source: C:\Windows\winhlp32.exe Section loaded: iphlpapi.dll
Source: C:\Windows\winhlp32.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\winhlp32.exe Section loaded: ncrypt.dll
Source: C:\Windows\winhlp32.exe Section loaded: ntasn1.dll
Source: C:\Windows\winhlp32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: zipfldr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: zipfldr.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msxml3.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\winhlp32.exe Section loaded: winmm.dll
Source: C:\Windows\winhlp32.exe Section loaded: urlmon.dll
Source: C:\Windows\winhlp32.exe Section loaded: wininet.dll
Source: C:\Windows\winhlp32.exe Section loaded: iertutil.dll
Source: C:\Windows\winhlp32.exe Section loaded: srvcli.dll
Source: C:\Windows\winhlp32.exe Section loaded: netutils.dll
Source: C:\Windows\winhlp32.exe Section loaded: iphlpapi.dll
Source: C:\Windows\winhlp32.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\winhlp32.exe Section loaded: ncrypt.dll
Source: C:\Windows\winhlp32.exe Section loaded: ntasn1.dll
Source: C:\Windows\winhlp32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\winhlp32.exe Section loaded: winmm.dll
Source: C:\Windows\winhlp32.exe Section loaded: urlmon.dll
Source: C:\Windows\winhlp32.exe Section loaded: wininet.dll
Source: C:\Windows\winhlp32.exe Section loaded: iertutil.dll
Source: C:\Windows\winhlp32.exe Section loaded: srvcli.dll
Source: C:\Windows\winhlp32.exe Section loaded: netutils.dll
Source: C:\Windows\winhlp32.exe Section loaded: iphlpapi.dll
Source: C:\Windows\winhlp32.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\winhlp32.exe Section loaded: ncrypt.dll
Source: C:\Windows\winhlp32.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: Binary string: C:\Users\28718\Documents\GitHub\DcRat\Binaries\Release\Plugins\SendFile.pdb source: RegAsm.exe, 00000004.00000002.3319084811.0000000005F20000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%windir%");IHost.CreateObject("wscript.shell");ISWbemServicesEx.ExecQuery("SELECT * FROM WIN32_COMPUTERSYSTEM");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IHost.Path();IWshShell3.ExpandEnvironmentStrings("%WINDIR%");IHost.ScriptFullName();IWshShell3.Run("C:\Windows\SYSWOW64\WSCRIPT.EXE //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"")
Source: C:\Windows\SysWOW64\wscript.exe Anti Malware Scan Interface: CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%windir%");IHost.CreateObject("wscript.shell");ISWbemServicesEx.ExecQuery("SELECT * FROM WIN32_COMPUTERSYSTEM");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IHost.Path();IWshShell3.ExpandEnvironmentStrings("%temp%");IXMLDOMNode._0000003f("<HELLO/>");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue("4D5A6C000100000002000000FFFF00000000000011000000400000000000000057696E33322050726F6772616D210D0A24B409BA0001CD21B44CCD2160000000476F4C696E6B2C20476F41736D207777772E476F446576546F6F6C2E636F6D00504500004C0107003575F8480");IXMLDOMNode._00000028();IXMLDOMElement.dataType("BIN.HEX");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue();IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%windir%");IHost.CreateObject("wscript.shell");ISWbemServicesEx.ExecQuery("SELECT * FROM WIN32_COMPUTERSYSTEM");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IHost.Path();IWshShell3.ExpandEnvironmentStrings("%temp%");IXMLDOMNode._0000003f("<HELLO/>");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue("4D5A6C000100000002000000FFFF00000000000011000000400000000000000057696E33322050726F6772616D210D0A24B409BA0001CD21B44CCD2160000000476F4C696E6B2C20476F41736D207777772E476F446576546F6F6C2E636F6D00504500004C0107003575F8480");IXMLDOMNode._00000028();IXMLDOMElement.dataType("BIN.HEX");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue();IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");IWshShell3.Run("regsvr32.exe /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"", "0", "true");IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%windir%");IHost.CreateObject("wscript.shell");ISWbemServicesEx.ExecQuery("SELECT * FROM WIN32_COMPUTERSYSTEM");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IHost.Path();IWshShell3.ExpandEnvironmentStrings("%temp%");IXMLDOMNode._0000003f("<HELLO/>");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue("4D5A6C000100000002000000FFFF00000000000011000000400000000000000057696E33322050726F6772616D210D0A24B409BA0001CD21B44CCD2160000000476F4C696E6B2C20476F41736D207777772E476F446576546F6F6C2E636F6D00504500004C0107003575F8480");IXMLDOMNode._00000028();IXMLDOMElement.dataType("BIN.HEX");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue();IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");IWshShell3.Run("regsvr32.exe /I /S "C:\Users\al
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
Contains functionality to dynamically determine API calls
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 17_2_0041CB50
PE file contains sections with non-standard names
Source: dynwrapx.dll.2.dr Static PE information: section name: const
Registers a DLL
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_3_051A9DD9 pushad ; retf 0057h 2_3_051A9DDA

Persistence and Installation Behavior
barindex
Windows Shell Script Host drops VBS files
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs
Contains functionality to download and launch executables
Source: C:\Windows\winhlp32.exe Code function: 17_2_00406EB0 ShellExecuteW,URLDownloadToFileW, 17_2_00406EB0
Drops PE files
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Local\Temp\dynwrapx.dll Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
Drops VBS files to the startup folder
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 17_2_0041AA4A
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 17_2_0041CB50
Stores large binary data to the registry
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\6FA57DE146646C132F6E 54A25BAFF557DB5C79E3CC342368ADFCFD9AB2EA9908343A4F6A6267258007D1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\winhlp32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
Delayed program exit found
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040F7A7 Sleep,ExitProcess, 17_2_0040F7A7
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040F7A7 Sleep,ExitProcess, 19_2_0040F7A7
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040F7A7 Sleep,ExitProcess, 21_2_0040F7A7
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040F7A7 Sleep,ExitProcess, 23_2_0040F7A7
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040F7A7 Sleep,ExitProcess, 27_2_0040F7A7
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2D90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 1330000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 1450000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 32A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 1480000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2B00000 memory reserve | memory write watch Jump to behavior
Contains functionality to enumerate running services
Source: C:\Windows\winhlp32.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 17_2_0041A748
Source: C:\Windows\winhlp32.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 19_2_0041A748
Source: C:\Windows\winhlp32.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 21_2_0041A748
Source: C:\Windows\winhlp32.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 23_2_0041A748
Source: C:\Windows\winhlp32.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 27_2_0041A748
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 2852 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 7003 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3445
Source: C:\Windows\winhlp32.exe Window / User API: threadDelayed 6473
Source: C:\Windows\winhlp32.exe Window / User API: threadDelayed 3519
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dynwrapx.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\winhlp32.exe API coverage: 6.2 %
Source: C:\Windows\winhlp32.exe API coverage: 6.2 %
Source: C:\Windows\winhlp32.exe API coverage: 6.2 %
Source: C:\Windows\winhlp32.exe API coverage: 6.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3504 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3448 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4112 Thread sleep count: 2852 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4112 Thread sleep count: 7003 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6132 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6600 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3140 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2132 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2108 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\winhlp32.exe TID: 2072 Thread sleep count: 6473 > 30
Source: C:\Windows\winhlp32.exe TID: 2072 Thread sleep time: -19419000s >= -30000s
Source: C:\Windows\winhlp32.exe TID: 2072 Thread sleep count: 3519 > 30
Source: C:\Windows\winhlp32.exe TID: 2072 Thread sleep time: -10557000s >= -30000s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs FullSizeInformation
Source: C:\Windows\SysWOW64\wscript.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\wscript.exe File Volume queried: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs FullSizeInformation
Source: C:\Windows\winhlp32.exe Code function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_00409253
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 17_2_0041C291
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 17_2_0040C34D
Source: C:\Windows\winhlp32.exe Code function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_00409665
Source: C:\Windows\winhlp32.exe Code function: 17_2_0044E879 FindFirstFileExA, 17_2_0044E879
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 17_2_0040880C
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040783C FindFirstFileW,FindNextFileW, 17_2_0040783C
Source: C:\Windows\winhlp32.exe Code function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 17_2_00419AF5
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0040BD37
Source: C:\Windows\winhlp32.exe Code function: 19_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 19_2_00409253
Source: C:\Windows\winhlp32.exe Code function: 19_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 19_2_0041C291
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 19_2_0040C34D
Source: C:\Windows\winhlp32.exe Code function: 19_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 19_2_00409665
Source: C:\Windows\winhlp32.exe Code function: 19_2_0044E879 FindFirstFileExA, 19_2_0044E879
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 19_2_0040880C
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040783C FindFirstFileW,FindNextFileW, 19_2_0040783C
Source: C:\Windows\winhlp32.exe Code function: 19_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 19_2_00419AF5
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 19_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: 19_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 19_2_0040BD37
Source: C:\Windows\winhlp32.exe Code function: 21_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 21_2_00409253
Source: C:\Windows\winhlp32.exe Code function: 21_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 21_2_0041C291
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 21_2_0040C34D
Source: C:\Windows\winhlp32.exe Code function: 21_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 21_2_00409665
Source: C:\Windows\winhlp32.exe Code function: 21_2_0044E879 FindFirstFileExA, 21_2_0044E879
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 21_2_0040880C
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040783C FindFirstFileW,FindNextFileW, 21_2_0040783C
Source: C:\Windows\winhlp32.exe Code function: 21_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 21_2_00419AF5
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 21_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: 21_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 21_2_0040BD37
Source: C:\Windows\winhlp32.exe Code function: 23_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 23_2_00409253
Source: C:\Windows\winhlp32.exe Code function: 23_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 23_2_0041C291
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 23_2_0040C34D
Source: C:\Windows\winhlp32.exe Code function: 23_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 23_2_00409665
Source: C:\Windows\winhlp32.exe Code function: 23_2_0044E879 FindFirstFileExA, 23_2_0044E879
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 23_2_0040880C
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040783C FindFirstFileW,FindNextFileW, 23_2_0040783C
Source: C:\Windows\winhlp32.exe Code function: 23_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 23_2_00419AF5
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 23_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: 23_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 23_2_0040BD37
Source: C:\Windows\winhlp32.exe Code function: 27_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 27_2_00409253
Source: C:\Windows\winhlp32.exe Code function: 27_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 27_2_0041C291
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 27_2_0040C34D
Source: C:\Windows\winhlp32.exe Code function: 27_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 27_2_00409665
Source: C:\Windows\winhlp32.exe Code function: 27_2_0044E879 FindFirstFileExA, 27_2_0044E879
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 27_2_0040880C
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040783C FindFirstFileW,FindNextFileW, 27_2_0040783C
Source: C:\Windows\winhlp32.exe Code function: 27_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 27_2_00419AF5
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 27_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: 27_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 27_2_0040BD37
Source: C:\Windows\winhlp32.exe Code function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 17_2_00407C97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData
Source: RegAsm.exe, 00000004.00000002.3316798522.0000000005337000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, winhlp32.exe, 00000011.00000003.2300656091.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: winhlp32.exe, 00000011.00000003.2300656091.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWf
Source: RegAsm.exe, 00000004.00000002.3316213754.00000000052ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: RegAsm.exe, 00000004.00000002.3307841453.0000000001150000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: C:\Windows\winhlp32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\winhlp32.exe Code function: 17_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_004349F9
Contains functionality to dynamically determine API calls
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 17_2_0041CB50
Contains functionality to read the PEB
Source: C:\Windows\winhlp32.exe Code function: 17_2_004432B5 mov eax, dword ptr fs:[00000030h] 17_2_004432B5
Source: C:\Windows\winhlp32.exe Code function: 19_2_004432B5 mov eax, dword ptr fs:[00000030h] 19_2_004432B5
Source: C:\Windows\winhlp32.exe Code function: 21_2_004432B5 mov eax, dword ptr fs:[00000030h] 21_2_004432B5
Source: C:\Windows\winhlp32.exe Code function: 23_2_004432B5 mov eax, dword ptr fs:[00000030h] 23_2_004432B5
Source: C:\Windows\winhlp32.exe Code function: 27_2_004432B5 mov eax, dword ptr fs:[00000030h] 27_2_004432B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\winhlp32.exe Code function: 17_2_00412077 GetProcessHeap,HeapFree, 17_2_00412077
Source: C:\Windows\winhlp32.exe Code function: 17_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_004349F9
Source: C:\Windows\winhlp32.exe Code function: 17_2_00434B47 SetUnhandledExceptionFilter, 17_2_00434B47
Source: C:\Windows\winhlp32.exe Code function: 17_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_0043BB22
Source: C:\Windows\winhlp32.exe Code function: 17_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00434FDC
Source: C:\Windows\winhlp32.exe Code function: 19_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_004349F9
Source: C:\Windows\winhlp32.exe Code function: 19_2_00434B47 SetUnhandledExceptionFilter, 19_2_00434B47
Source: C:\Windows\winhlp32.exe Code function: 19_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_0043BB22
Source: C:\Windows\winhlp32.exe Code function: 19_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00434FDC
Source: C:\Windows\winhlp32.exe Code function: 21_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_004349F9
Source: C:\Windows\winhlp32.exe Code function: 21_2_00434B47 SetUnhandledExceptionFilter, 21_2_00434B47
Source: C:\Windows\winhlp32.exe Code function: 21_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_0043BB22
Source: C:\Windows\winhlp32.exe Code function: 21_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_00434FDC
Source: C:\Windows\winhlp32.exe Code function: 23_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_004349F9
Source: C:\Windows\winhlp32.exe Code function: 23_2_00434B47 SetUnhandledExceptionFilter, 23_2_00434B47
Source: C:\Windows\winhlp32.exe Code function: 23_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_0043BB22
Source: C:\Windows\winhlp32.exe Code function: 23_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_00434FDC
Source: C:\Windows\winhlp32.exe Code function: 27_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 27_2_004349F9
Source: C:\Windows\winhlp32.exe Code function: 27_2_00434B47 SetUnhandledExceptionFilter, 27_2_00434B47
Source: C:\Windows\winhlp32.exe Code function: 27_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 27_2_0043BB22
Source: C:\Windows\winhlp32.exe Code function: 27_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 27_2_00434FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, AntiProcess.cs Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Win32.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Win32.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Amsi.cs Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
Contains functionality to inject code into remote processes
Source: C:\Windows\SysWOW64\wscript.exe Code function: 2_2_05660054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 2_2_05660054
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C37008 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: ECA008 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10BC008 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C33008 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 401000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 459000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 471000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 477000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 478000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 479000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 47E000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 2C31008
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 401000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 459000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 471000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 477000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 478000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 479000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 47E000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 29D3008
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 401000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 459000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 471000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 477000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 478000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 479000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 47E000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 2BCF008
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 401000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 459000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 471000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 477000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 478000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 479000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 47E000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 310E008
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 401000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 459000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 471000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 477000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 478000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 479000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 47E000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 29B7008
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 401000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 459000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 471000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 477000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 478000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 479000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 47E000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 268F008
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 401000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 459000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 471000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 477000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 478000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 479000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 47E000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 2C59008
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 400000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 401000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 459000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 471000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 477000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 478000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 479000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 47E000
Source: C:\Windows\SysWOW64\wscript.exe Memory written: C:\Windows\winhlp32.exe base: 2CCC008
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\winhlp32.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 17_2_004120F7
Source: C:\Windows\winhlp32.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 19_2_004120F7
Source: C:\Windows\winhlp32.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 21_2_004120F7
Source: C:\Windows\winhlp32.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 23_2_004120F7
Source: C:\Windows\winhlp32.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 27_2_004120F7
Contains functionality to simulate mouse events
Source: C:\Windows\winhlp32.exe Code function: 17_2_00419627 mouse_event, 17_2_00419627
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
Source: RegAsm.exe, 00000004.00000002.3309788726.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003069000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@\]q
Source: RegAsm.exe, 00000004.00000002.3309788726.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3318000698.000000000550E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003069000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000004.00000002.3309788726.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003069000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@\]q&
Source: RegAsm.exe, 00000004.00000002.3309788726.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003069000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe]q
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\winhlp32.exe Code function: 17_2_00434C52 cpuid 17_2_00434C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoA, 17_2_0040F8D1
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 17_2_00452036
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 17_2_004520C3
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 17_2_00452313
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 17_2_00448404
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 17_2_0045243C
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 17_2_00452543
Source: C:\Windows\winhlp32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 17_2_00452610
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 17_2_004488ED
Source: C:\Windows\winhlp32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 17_2_00451CD8
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 17_2_00451F50
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 17_2_00451F9B
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 19_2_00452036
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 19_2_004520C3
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 19_2_00452313
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 19_2_00448404
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 19_2_0045243C
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 19_2_00452543
Source: C:\Windows\winhlp32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 19_2_00452610
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoA, 19_2_0040F8D1
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 19_2_004488ED
Source: C:\Windows\winhlp32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 19_2_00451CD8
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 19_2_00451F50
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 19_2_00451F9B
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 21_2_00452036
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 21_2_004520C3
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 21_2_00452313
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 21_2_00448404
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 21_2_0045243C
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 21_2_00452543
Source: C:\Windows\winhlp32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 21_2_00452610
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoA, 21_2_0040F8D1
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 21_2_004488ED
Source: C:\Windows\winhlp32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 21_2_00451CD8
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 21_2_00451F50
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 21_2_00451F9B
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 23_2_00452036
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 23_2_004520C3
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 23_2_00452313
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 23_2_00448404
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 23_2_0045243C
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 23_2_00452543
Source: C:\Windows\winhlp32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 23_2_00452610
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoA, 23_2_0040F8D1
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 23_2_004488ED
Source: C:\Windows\winhlp32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 23_2_00451CD8
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 23_2_00451F50
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 23_2_00451F9B
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 27_2_00452036
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 27_2_004520C3
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 27_2_00452313
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 27_2_00448404
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 27_2_0045243C
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 27_2_00452543
Source: C:\Windows\winhlp32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 27_2_00452610
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoA, 27_2_0040F8D1
Source: C:\Windows\winhlp32.exe Code function: GetLocaleInfoW, 27_2_004488ED
Source: C:\Windows\winhlp32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 27_2_00451CD8
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 27_2_00451F50
Source: C:\Windows\winhlp32.exe Code function: EnumSystemLocalesW, 27_2_00451F9B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\winhlp32.exe Code function: 17_2_00404F51 GetLocalTime,CreateEventA,CreateThread, 17_2_00404F51
Source: C:\Windows\winhlp32.exe Code function: 17_2_0041B60D GetComputerNameExW,GetUserNameW, 17_2_0041B60D
Source: C:\Windows\winhlp32.exe Code function: 17_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 17_2_00449190
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
AV process strings found (often used to terminate AV products)
Source: RegAsm.exe, 00000004.00000002.3316991933.0000000005474000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: wscript.exe, 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: MSASCui.exe
Source: wscript.exe, 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: procexp.exe
Source: RegAsm.exe, 00000004.00000002.3318000698.000000000550E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3307841453.0000000001150000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: wscript.exe, 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected DcRat
Source: Yara match File source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
Yara detected Remcos RAT
Source: Yara match File source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2306410441.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2465197293.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2318995170.0000000003537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2453487662.0000000003017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3307138781.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2427511925.0000000002B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2441743999.00000000029F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: winhlp32.exe PID: 6540, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\winhlp32.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 17_2_0040BA12
Source: C:\Windows\winhlp32.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 19_2_0040BA12
Source: C:\Windows\winhlp32.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 21_2_0040BA12
Source: C:\Windows\winhlp32.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 23_2_0040BA12
Source: C:\Windows\winhlp32.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 27_2_0040BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\winhlp32.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 17_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: \key3.db 17_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 19_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: \key3.db 19_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 21_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: \key3.db 21_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 23_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: \key3.db 23_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 27_2_0040BB30
Source: C:\Windows\winhlp32.exe Code function: \key3.db 27_2_0040BB30

Remote Access Functionality
barindex
Yara detected DcRat
Source: Yara match File source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
Yara detected Remcos RAT
Source: Yara match File source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2306410441.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2465197293.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2318995170.0000000003537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2453487662.0000000003017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3307138781.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2427511925.0000000002B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2441743999.00000000029F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: winhlp32.exe PID: 6540, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\winhlp32.exe Code function: cmd.exe 17_2_0040569A
Source: C:\Windows\winhlp32.exe Code function: cmd.exe 19_2_0040569A
Source: C:\Windows\winhlp32.exe Code function: cmd.exe 21_2_0040569A
Source: C:\Windows\winhlp32.exe Code function: cmd.exe 23_2_0040569A
Source: C:\Windows\winhlp32.exe Code function: cmd.exe 27_2_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431185 Sample: lmg1_Mlakaifa443456.vbs Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 68 geoplugin.net 2->68 70 bg.microsoft.map.fastly.net 2->70 98 Snort IDS alert for network traffic 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 19 other signatures 2->104 12 wscript.exe 1 2->12         started        15 wscript.exe 2->15         started        signatures3 process4 signatures5 118 VBScript performs obfuscated calls to suspicious functions 12->118 120 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->120 122 Suspicious execution chain found 12->122 17 wscript.exe 2 12->17         started        124 Wscript called in batch mode (surpress errors) 15->124 21 wscript.exe 15->21         started        process6 file7 64 C:\Users\user\AppData\Local\...\dynwrapx.dll, PE32 17->64 dropped 84 VBScript performs obfuscated calls to suspicious functions 17->84 86 Drops VBS files to the startup folder 17->86 88 Contains functionality to inject code into remote processes 17->88 96 3 other signatures 17->96 23 RegAsm.exe 2 4 17->23         started        27 RegAsm.exe 2 17->27         started        29 RegAsm.exe 3 17->29         started        37 5 other processes 17->37 90 Writes to foreign memory regions 21->90 92 Allocates memory in foreign processes 21->92 94 Injects a PE file into a foreign processes 21->94 31 regsvr32.exe 21->31         started        33 winhlp32.exe 21->33         started        35 regsvr32.exe 21->35         started        39 5 other processes 21->39 signatures8 process9 dnsIp10 74 139.99.133.66, 4444, 49704, 49706 OVHFR Canada 23->74 66 C:\Users\user\AppData\Local\Temp\remc1.vbs, Unicode 23->66 dropped 41 cmd.exe 23->41         started        file11 process12 signatures13 114 Suspicious powershell command line found 41->114 116 Bypasses PowerShell execution policy 41->116 44 powershell.exe 41->44         started        46 conhost.exe 41->46         started        process14 process15 48 wscript.exe 44->48         started        file16 62 C:\Users\user\AppData\Roaming\...\remc1.vbs, Unicode 48->62 dropped 76 Windows Shell Script Host drops VBS files 48->76 78 Writes to foreign memory regions 48->78 80 Allocates memory in foreign processes 48->80 82 2 other signatures 48->82 52 winhlp32.exe 48->52         started        56 regsvr32.exe 48->56         started        58 regsvr32.exe 48->58         started        60 5 other processes 48->60 signatures17 process18 dnsIp19 72 geoplugin.net 178.237.33.50, 49716, 80 ATOM86-ASATOM86NL Netherlands 52->72 106 Contains functionality to bypass UAC (CMSTPLUA) 52->106 108 Contains functionalty to change the wallpaper 52->108 110 Contains functionality to steal Chrome passwords or cookies 52->110 112 3 other signatures 52->112 signatures20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
139.99.133.66
 unknown Canada
16276 OVHFR true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp true
  • URL Reputation: phishing
 unknown
139.99.133.66 true
  • Avira URL Cloud: safe
 unknown