Windows Analysis Report
3TpW2Sn68z.exe

Overview

General Information

Sample name: 3TpW2Sn68z.exe
renamed because original name is a hash value
Original sample name: 560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e.exe
Analysis ID: 1504845
MD5: c7fc0cee8ca35d709ed276e9f88ddbed
SHA1: ceea9d76bf0429872f4d7420addd0abdb5e8f4dc
SHA256: 560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e
Tags: exe
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Suspect Svchost Activity
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection

barindex
Source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "84.38.132.103:7001:1", "Assigned name": "Main", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FR1M2R", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe ReversingLabs: Detection: 50%
Source: 3TpW2Sn68z.exe ReversingLabs: Detection: 50%
Source: Yara match File source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Joe Sandbox ML: detected
Source: 3TpW2Sn68z.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 2_2_004338C8
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 8_2_004338C8
Source: RegAsymX.exe, 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_98b29fde-1

Exploits

barindex
Source: Yara match File source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR

Privilege Escalation

barindex
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00407538 _wcslen,CoGetObject, 2_2_00407538
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00407538 _wcslen,CoGetObject, 8_2_00407538

Compliance

barindex
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Unpacked PE file: 2.2.RegAsymX.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Unpacked PE file: 8.2.RegAsymX.exe.400000.0.unpack
Source: 3TpW2Sn68z.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_005CDBBE
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005D68EE FindFirstFileW,FindClose, 0_2_005D68EE
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_005D698F
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_005CD076
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_005CD3A9
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_005D9642
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_005D979D
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_005D9B2B
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005D5C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_005D5C97
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0084DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 1_2_0084DBBE
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_008568EE FindFirstFileW,FindClose, 1_2_008568EE
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0085698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 1_2_0085698F
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0084D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_0084D076
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0084D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_0084D3A9
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00859642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00859642
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0085979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_0085979D
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00859B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 1_2_00859B2B
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00855C97 FindFirstFileW,FindNextFileW,FindClose, 1_2_00855C97
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_0040928E
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 2_2_0041C322
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 2_2_0040C388
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_004096A0
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 2_2_00408847
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00407877 FindFirstFileW,FindNextFileW, 2_2_00407877
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 2_2_0040BB6B
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, 2_2_00419B86
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 2_2_0040BD72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0327698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 3_2_0327698F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_032768EE FindFirstFileW,FindClose, 3_2_032768EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0326D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0326D3A9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0326D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0326D076
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0327979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0327979D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03279642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_03279642
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03279B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 3_2_03279B2B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0326DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 3_2_0326DBBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03275C97 FindFirstFileW,FindNextFileW,FindClose, 3_2_03275C97
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_0040928E
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 8_2_0041C322
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 8_2_0040C388
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_004096A0
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 8_2_00408847
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00407877 FindFirstFileW,FindNextFileW, 8_2_00407877
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 8_2_0040BB6B
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, 8_2_00419B86
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 8_2_0040BD72
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 2_2_00407CD2
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior

Networking

barindex
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 84.38.132.103:7001
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:53013 -> 84.38.132.103:7001
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:53009 -> 84.38.132.103:7001
Source: Malware configuration extractor URLs: 84.38.132.103
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 84.38.132.103:7001
Source: Joe Sandbox View ASN Name: DATACLUBLV DATACLUBLV
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.132.103
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005DCE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_005DCE44
Source: RegAsymX.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: RegAsymX.exe, 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,00000000 2_2_0040A2F3
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_005DEAFF
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_005DED6A
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0085ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 1_2_0085ED6A
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_004168FC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0327ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_0327ED6A
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_004168FC
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_005DEAFF
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_005CAA57
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_005F9576
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00879576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_00879576
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03299576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_03299576
Source: Yara match File source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR

E-Banking Fraud

barindex
Source: Yara match File source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041CA6D SystemParametersInfoW, 2_2_0041CA6D
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041CA73 SystemParametersInfoW, 2_2_0041CA73
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0041CA6D SystemParametersInfoW, 8_2_0041CA6D
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0041CA73 SystemParametersInfoW, 8_2_0041CA73

System Summary

barindex
Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3TpW2Sn68z.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 3TpW2Sn68z.exe, 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_814a09af-6
Source: 3TpW2Sn68z.exe, 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_017a4c7f-1
Source: 3TpW2Sn68z.exe, 00000000.00000003.1681672618.0000000003DE1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_deae4797-6
Source: 3TpW2Sn68z.exe, 00000000.00000003.1681672618.0000000003DE1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_3ebbe7c7-3
Source: RegAsymX.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RegAsymX.exe, 00000001.00000000.1681932970.00000000008A2000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_d894eeb2-c
Source: RegAsymX.exe, 00000001.00000000.1681932970.00000000008A2000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_d93d97fc-5
Source: RegAsymX.exe, 00000002.00000002.4144768646.0000000003F72000.00000040.10000000.00040000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_610698ee-5
Source: RegAsymX.exe, 00000002.00000002.4144768646.0000000003F72000.00000040.10000000.00040000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_69ad603f-e
Source: RegAsymX.exe, 00000002.00000002.4144625611.0000000003DB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_7e079ba4-9
Source: RegAsymX.exe, 00000002.00000002.4144625611.0000000003DB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_bc41f37b-8
Source: RegAsymX.exe, 00000002.00000002.4143541171.00000000008A2000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_2f49fdef-1
Source: RegAsymX.exe, 00000002.00000002.4143541171.00000000008A2000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_5b8ae25b-2
Source: svchost.exe, 00000003.00000002.2005838898.00000000032C2000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_4b7a6453-9
Source: svchost.exe, 00000003.00000002.2005838898.00000000032C2000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_0407e11f-a
Source: RegAsymX.exe, 00000008.00000000.1810224415.00000000008A2000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_7002a894-9
Source: RegAsymX.exe, 00000008.00000000.1810224415.00000000008A2000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_c4435ec3-3
Source: RegAsymX.exe, 00000008.00000002.4144091090.0000000004276000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_095845a4-a
Source: RegAsymX.exe, 00000008.00000002.4144091090.0000000004276000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_f2a9c828-4
Source: 3TpW2Sn68z.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_959647dd-f
Source: 3TpW2Sn68z.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_745d09d1-8
Source: RegAsymX.exe.0.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_2e2a7c22-2
Source: RegAsymX.exe.0.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_2fc89a24-2
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 2_2_0041812A
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 2_2_0041330D
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle, 2_2_0041BBC6
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle, 2_2_0041BB9A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0329A2D7 NtdllDialogWndProc_W, 3_2_0329A2D7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_032987B2 NtdllDialogWndProc_W,CallWindowProcW, 3_2_032987B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03218BA4 NtdllDialogWndProc_W, 3_2_03218BA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03298AAA NtdllDialogWndProc_W, 3_2_03298AAA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03298FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W, 3_2_03298FC9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03299380 NtdllDialogWndProc_W, 3_2_03299380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_032993CB NtdllDialogWndProc_W, 3_2_032993CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0329911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 3_2_0329911E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03203170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow, 3_2_03203170
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03219052 NtdllDialogWndProc_W, 3_2_03219052
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_032190A7 NtdllDialogWndProc_W, 3_2_032190A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_032990A1 SendMessageW,NtdllDialogWndProc_W, 3_2_032990A1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_032197C0 GetParent,NtdllDialogWndProc_W, 3_2_032197C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0329953A GetWindowLongW,NtdllDialogWndProc_W, 3_2_0329953A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03299576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_03299576
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03299400 ClientToScreen,NtdllDialogWndProc_W, 3_2_03299400
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0321997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,NtdllDialogWndProc_W, 3_2_0321997D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03299F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W, 3_2_03299F86
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03299E74 NtdllDialogWndProc_W, 3_2_03299E74
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03299EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W, 3_2_03299EF3
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 8_2_0041330D
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle, 8_2_0041BBC6
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle, 8_2_0041BB9A
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005CD5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_005CD5EB
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_005C1201
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_005CE8F6
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0084E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 1_2_0084E8F6
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress, 2_2_004167EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0326E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 3_2_0326E8F6
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress, 8_2_004167EF
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_0056BF40 0_2_0056BF40
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005D2046 0_2_005D2046
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_00568060 0_2_00568060
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005C8298 0_2_005C8298
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_0059E4FF 0_2_0059E4FF
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_0059676B 0_2_0059676B
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005F4873 0_2_005F4873
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_0056CAF0 0_2_0056CAF0
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_0058CAA0 0_2_0058CAA0
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_0057CC39 0_2_0057CC39
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_00596DD9 0_2_00596DD9
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_0057B119 0_2_0057B119
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005691C0 0_2_005691C0
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_00581394 0_2_00581394
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_00581706 0_2_00581706
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_0058781B 0_2_0058781B
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_0057997D 0_2_0057997D
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_00567920 0_2_00567920
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005819B0 0_2_005819B0
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_00587A4A 0_2_00587A4A
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_00581C77 0_2_00581C77
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_00587CA7 0_2_00587CA7
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005EBE44 0_2_005EBE44
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_00599EEE 0_2_00599EEE
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_00581F32 0_2_00581F32
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_02023660 0_2_02023660
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_007E8060 1_2_007E8060
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00852046 1_2_00852046
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00848298 1_2_00848298
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0081E4FF 1_2_0081E4FF
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0081676B 1_2_0081676B
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00874873 1_2_00874873
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0080CAA0 1_2_0080CAA0
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_007ECAF0 1_2_007ECAF0
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_007FCC39 1_2_007FCC39
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00816DD9 1_2_00816DD9
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_007FB119 1_2_007FB119
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_007E91C0 1_2_007E91C0
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00801394 1_2_00801394
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00801706 1_2_00801706
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0080781B 1_2_0080781B
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_007F997D 1_2_007F997D
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_008019B0 1_2_008019B0
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_007E7920 1_2_007E7920
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00807A4A 1_2_00807A4A
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00807CA7 1_2_00807CA7
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00801C77 1_2_00801C77
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00819EEE 1_2_00819EEE
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_0086BE44 1_2_0086BE44
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00801F32 1_2_00801F32
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_00603660 1_2_00603660
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0043706A 2_2_0043706A
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00414005 2_2_00414005
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0043E11C 2_2_0043E11C
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_004541D9 2_2_004541D9
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_004381E8 2_2_004381E8
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041F18B 2_2_0041F18B
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00446270 2_2_00446270
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0043E34B 2_2_0043E34B
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_004533AB 2_2_004533AB
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0042742E 2_2_0042742E
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00437566 2_2_00437566
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0043E5A8 2_2_0043E5A8
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_004387F0 2_2_004387F0
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0043797E 2_2_0043797E
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_004339D7 2_2_004339D7
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0044DA49 2_2_0044DA49
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00427AD7 2_2_00427AD7
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041DBF3 2_2_0041DBF3
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00427C40 2_2_00427C40
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00437DB3 2_2_00437DB3
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00435EEB 2_2_00435EEB
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0043DEED 2_2_0043DEED
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_00426E9F 2_2_00426E9F
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_01033660 2_2_01033660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03268298 3_2_03268298
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03208060 3_2_03208060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03272046 3_2_03272046
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0323676B 3_2_0323676B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0323E4FF 3_2_0323E4FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0322CAA0 3_2_0322CAA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0320CAF0 3_2_0320CAF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03294873 3_2_03294873
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03236DD9 3_2_03236DD9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0321CC39 3_2_0321CC39
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03221394 3_2_03221394
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0321B119 3_2_0321B119
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_032091C0 3_2_032091C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03221706 3_2_03221706
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03227A4A 3_2_03227A4A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03207920 3_2_03207920
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0321997D 3_2_0321997D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_032219B0 3_2_032219B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0322781B 3_2_0322781B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03221F32 3_2_03221F32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0328BE44 3_2_0328BE44
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03239EEE 3_2_03239EEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03221C77 3_2_03221C77
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_03227CA7 3_2_03227CA7
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0043706A 8_2_0043706A
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00414005 8_2_00414005
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0043E11C 8_2_0043E11C
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_004541D9 8_2_004541D9
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_004381E8 8_2_004381E8
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0041F18B 8_2_0041F18B
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00446270 8_2_00446270
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0043E34B 8_2_0043E34B
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_004533AB 8_2_004533AB
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0042742E 8_2_0042742E
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00437566 8_2_00437566
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0043E5A8 8_2_0043E5A8
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_004387F0 8_2_004387F0
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0043797E 8_2_0043797E
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_004339D7 8_2_004339D7
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0044DA49 8_2_0044DA49
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00427AD7 8_2_00427AD7
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0041DBF3 8_2_0041DBF3
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00427C40 8_2_00427C40
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00437DB3 8_2_00437DB3
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00435EEB 8_2_00435EEB
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0043DEED 8_2_0043DEED
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_00426E9F 8_2_00426E9F
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_018A3660 8_2_018A3660
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 0040417E appears 46 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 00402093 appears 100 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 007FF9F2 appears 31 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 004020DF appears 40 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 00434801 appears 82 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 00457AA8 appears 34 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 00445951 appears 56 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 004046F7 appears 34 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 00402213 appears 38 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 004052FD appears 32 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 00800A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 00401E65 appears 70 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 00434E70 appears 108 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 00401FAB appears 44 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 0044854A appears 36 times
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: String function: 00411FA2 appears 32 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03220A30 appears 46 times
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: String function: 00580A30 appears 46 times
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: String function: 0057F9F2 appears 31 times
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 568
Source: 3TpW2Sn68z.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@11/18@0/1
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005D37B5 GetLastError,FormatMessageW, 0_2_005D37B5
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005C10BF AdjustTokenPrivileges,CloseHandle, 0_2_005C10BF
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_005C16C3
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_008410BF AdjustTokenPrivileges,CloseHandle, 1_2_008410BF
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 1_2_008416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 1_2_008416C3
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 2_2_0041798D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_032610BF AdjustTokenPrivileges,CloseHandle, 3_2_032610BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_032616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 3_2_032616C3
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 8_2_0041798D
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_005D51CD
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005EA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_005EA67C
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_005D648E
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Code function: 0_2_005642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_005642A2
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Code function: 2_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 2_2_0041AADB
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe File created: C:\Users\user\AppData\Local\directory Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7660
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-FR1M2R-W
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-FR1M2R
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe File created: C:\Users\user\AppData\Local\Temp\autA43A.tmp Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs"
Source: 3TpW2Sn68z.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 3TpW2Sn68z.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe File read: C:\Users\user\Desktop\3TpW2Sn68z.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\3TpW2Sn68z.exe "C:\Users\user\Desktop\3TpW2Sn68z.exe"
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Process created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\Desktop\3TpW2Sn68z.exe"
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Process created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe"
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 568
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe"
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Process created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\Desktop\3TpW2Sn68z.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Process created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe" Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\3TpW2Sn68z.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe Section loaded: userenv.dll Jump to behavior