Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3TpW2Sn68z.exe

Overview

General Information

Sample name:3TpW2Sn68z.exe
renamed because original name is a hash value
Original sample name:560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e.exe
Analysis ID:1504845
MD5:c7fc0cee8ca35d709ed276e9f88ddbed
SHA1:ceea9d76bf0429872f4d7420addd0abdb5e8f4dc
SHA256:560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Suspect Svchost Activity
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 3TpW2Sn68z.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\3TpW2Sn68z.exe" MD5: C7FC0CEE8CA35D709ED276E9F88DDBED)
    • RegAsymX.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\3TpW2Sn68z.exe" MD5: C7FC0CEE8CA35D709ED276E9F88DDBED)
      • RegAsymX.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Local\directory\RegAsymX.exe" MD5: C7FC0CEE8CA35D709ED276E9F88DDBED)
        • svchost.exe (PID: 7660 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
          • WerFault.exe (PID: 7764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 568 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 7884 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • RegAsymX.exe (PID: 7936 cmdline: "C:\Users\user\AppData\Local\directory\RegAsymX.exe" MD5: C7FC0CEE8CA35D709ED276E9F88DDBED)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "84.38.132.103:7001:1", "Assigned name": "Main", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FR1M2R", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6aab8:$a1: Remcos restarted by watchdog!
            • 0x6b030:$a3: %02i:%02i:%02i:%03i
            Click to see the 43 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.RegAsymX.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              8.2.RegAsymX.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                8.2.RegAsymX.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  8.2.RegAsymX.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4b8:$a1: Remcos restarted by watchdog!
                  • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                  8.2.RegAsymX.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6657c:$str_b2: Executing file:
                  • 0x675fc:$str_b3: GetDirectListeningPort
                  • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67128:$str_b7: \update.vbs
                  • 0x665a4:$str_b9: Downloaded file:
                  • 0x66590:$str_b10: Downloading file:
                  • 0x66634:$str_b12: Failed to upload file:
                  • 0x675c4:$str_b13: StartForward
                  • 0x675e4:$str_b14: StopForward
                  • 0x67080:$str_b15: fso.DeleteFile "
                  • 0x67014:$str_b16: On Error Resume Next
                  • 0x670b0:$str_b17: fso.DeleteFolder "
                  • 0x66624:$str_b18: Uploaded file:
                  • 0x665e4:$str_b19: Unable to delete:
                  • 0x67048:$str_b20: while fso.FileExists("
                  • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 55 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspect Svchost Activity
                  Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\directory\RegAsymX.exe", ParentImage: C:\Users\user\AppData\Local\directory\RegAsymX.exe, ParentProcessId: 7608, ParentProcessName: RegAsymX.exe, ProcessCommandLine: svchost.exe, ProcessId: 7660, ProcessName: svchost.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , ProcessId: 7884, ProcessName: wscript.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\directory\RegAsymX.exe", ParentImage: C:\Users\user\AppData\Local\directory\RegAsymX.exe, ParentProcessId: 7608, ParentProcessName: RegAsymX.exe, ProcessCommandLine: svchost.exe, ProcessId: 7660, ProcessName: svchost.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , ProcessId: 7884, ProcessName: wscript.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\directory\RegAsymX.exe", ParentImage: C:\Users\user\AppData\Local\directory\RegAsymX.exe, ParentProcessId: 7608, ParentProcessName: RegAsymX.exe, ProcessCommandLine: svchost.exe, ProcessId: 7660, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\RegAsymX.exe, ProcessId: 7564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\RegAsymX.exe, ProcessId: 7608, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-05T14:17:21.343263+020020365941Malware Command and Control Activity Detected192.168.2.44973084.38.132.1037001TCP
                  2024-09-05T14:17:43.736278+020020365941Malware Command and Control Activity Detected192.168.2.45300984.38.132.1037001TCP
                  2024-09-05T14:18:06.103034+020020365941Malware Command and Control Activity Detected192.168.2.45301384.38.132.1037001TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "84.38.132.103:7001:1", "Assigned name": "Main", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FR1M2R", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeReversingLabs: Detection: 50%
                  Multi AV Scanner detection for submitted file
                  Source: 3TpW2Sn68z.exeReversingLabs: Detection: 50%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 3TpW2Sn68z.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_004338C8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_004338C8
                  Source: RegAsymX.exe, 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_98b29fde-1

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00407538 _wcslen,CoGetObject,2_2_00407538
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00407538 _wcslen,CoGetObject,8_2_00407538

                  Compliance

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeUnpacked PE file: 2.2.RegAsymX.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeUnpacked PE file: 8.2.RegAsymX.exe.400000.0.unpack
                  Source: 3TpW2Sn68z.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_005CDBBE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D68EE FindFirstFileW,FindClose,0_2_005D68EE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_005D698F
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005CD076
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005CD3A9
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005D9642
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005D979D
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_005D9B2B
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_005D5C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,1_2_0084DBBE
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008568EE FindFirstFileW,FindClose,1_2_008568EE
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0085698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,1_2_0085698F
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0084D076
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0084D3A9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00859642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00859642
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0085979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0085979D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00859B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00859B2B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00855C97 FindFirstFileW,FindNextFileW,FindClose,1_2_00855C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_0040928E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C322
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C388
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_004096A0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_00408847
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00407877 FindFirstFileW,FindNextFileW,2_2_00407877
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419B86
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0327698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,3_2_0327698F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032768EE FindFirstFileW,FindClose,3_2_032768EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_0326D3A9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_0326D076
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0327979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0327979D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03279642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_03279642
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03279B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_03279B2B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,3_2_0326DBBE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03275C97 FindFirstFileW,FindNextFileW,FindClose,3_2_03275C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407CD2
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 84.38.132.103:7001
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:53013 -> 84.38.132.103:7001
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:53009 -> 84.38.132.103:7001
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 84.38.132.103
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 84.38.132.103:7001
                  Source: Joe Sandbox ViewASN Name: DATACLUBLV DATACLUBLV
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005DCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_005DCE44
                  Source: RegAsymX.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: RegAsymX.exe, 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000002_2_0040A2F3
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_005DEAFF
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_005DED6A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0085ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_0085ED6A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_004168FC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0327ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_0327ED6A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_004168FC
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_005DEAFF
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_005CAA57
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_005F9576
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00879576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_00879576
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_03299576
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041CA6D SystemParametersInfoW,2_2_0041CA6D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041CA73 SystemParametersInfoW,2_2_0041CA73
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041CA6D SystemParametersInfoW,8_2_0041CA6D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041CA73 SystemParametersInfoW,8_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: 3TpW2Sn68z.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: 3TpW2Sn68z.exe, 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_814a09af-6
                  Source: 3TpW2Sn68z.exe, 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_017a4c7f-1
                  Source: 3TpW2Sn68z.exe, 00000000.00000003.1681672618.0000000003DE1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_deae4797-6
                  Source: 3TpW2Sn68z.exe, 00000000.00000003.1681672618.0000000003DE1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3ebbe7c7-3
                  Source: RegAsymX.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: RegAsymX.exe, 00000001.00000000.1681932970.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d894eeb2-c
                  Source: RegAsymX.exe, 00000001.00000000.1681932970.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d93d97fc-5
                  Source: RegAsymX.exe, 00000002.00000002.4144768646.0000000003F72000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_610698ee-5
                  Source: RegAsymX.exe, 00000002.00000002.4144768646.0000000003F72000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_69ad603f-e
                  Source: RegAsymX.exe, 00000002.00000002.4144625611.0000000003DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7e079ba4-9
                  Source: RegAsymX.exe, 00000002.00000002.4144625611.0000000003DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_bc41f37b-8
                  Source: RegAsymX.exe, 00000002.00000002.4143541171.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2f49fdef-1
                  Source: RegAsymX.exe, 00000002.00000002.4143541171.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5b8ae25b-2
                  Source: svchost.exe, 00000003.00000002.2005838898.00000000032C2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4b7a6453-9
                  Source: svchost.exe, 00000003.00000002.2005838898.00000000032C2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0407e11f-a
                  Source: RegAsymX.exe, 00000008.00000000.1810224415.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7002a894-9
                  Source: RegAsymX.exe, 00000008.00000000.1810224415.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c4435ec3-3
                  Source: RegAsymX.exe, 00000008.00000002.4144091090.0000000004276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_095845a4-a
                  Source: RegAsymX.exe, 00000008.00000002.4144091090.0000000004276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f2a9c828-4
                  Source: 3TpW2Sn68z.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_959647dd-f
                  Source: 3TpW2Sn68z.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_745d09d1-8
                  Source: RegAsymX.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2e2a7c22-2
                  Source: RegAsymX.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_2fc89a24-2
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,2_2_0041812A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,2_2_0041330D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,2_2_0041BBC6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,2_2_0041BB9A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0329A2D7 NtdllDialogWndProc_W,3_2_0329A2D7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032987B2 NtdllDialogWndProc_W,CallWindowProcW,3_2_032987B2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03218BA4 NtdllDialogWndProc_W,3_2_03218BA4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03298AAA NtdllDialogWndProc_W,3_2_03298AAA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03298FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,3_2_03298FC9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299380 NtdllDialogWndProc_W,3_2_03299380
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032993CB NtdllDialogWndProc_W,3_2_032993CB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0329911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,3_2_0329911E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03203170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,3_2_03203170
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03219052 NtdllDialogWndProc_W,3_2_03219052
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032190A7 NtdllDialogWndProc_W,3_2_032190A7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032990A1 SendMessageW,NtdllDialogWndProc_W,3_2_032990A1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032197C0 GetParent,NtdllDialogWndProc_W,3_2_032197C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0329953A GetWindowLongW,NtdllDialogWndProc_W,3_2_0329953A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_03299576
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299400 ClientToScreen,NtdllDialogWndProc_W,3_2_03299400
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0321997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,NtdllDialogWndProc_W,3_2_0321997D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,3_2_03299F86
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299E74 NtdllDialogWndProc_W,3_2_03299E74
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,3_2_03299EF3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,8_2_0041330D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,8_2_0041BBC6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,8_2_0041BB9A
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_005CD5EB
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_005C1201
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_005CE8F6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_0084E8F6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_004167EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,3_2_0326E8F6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_004167EF
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0056BF400_2_0056BF40
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D20460_2_005D2046
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005680600_2_00568060
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C82980_2_005C8298
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0059E4FF0_2_0059E4FF
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0059676B0_2_0059676B
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005F48730_2_005F4873
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0056CAF00_2_0056CAF0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0058CAA00_2_0058CAA0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0057CC390_2_0057CC39
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00596DD90_2_00596DD9
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0057B1190_2_0057B119
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005691C00_2_005691C0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005813940_2_00581394
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005817060_2_00581706
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0058781B0_2_0058781B
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0057997D0_2_0057997D
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005679200_2_00567920
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005819B00_2_005819B0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00587A4A0_2_00587A4A
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00581C770_2_00581C77
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00587CA70_2_00587CA7
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005EBE440_2_005EBE44
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00599EEE0_2_00599EEE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00581F320_2_00581F32
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_020236600_2_02023660
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007E80601_2_007E8060
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008520461_2_00852046
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008482981_2_00848298
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0081E4FF1_2_0081E4FF
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0081676B1_2_0081676B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008748731_2_00874873
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0080CAA01_2_0080CAA0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007ECAF01_2_007ECAF0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007FCC391_2_007FCC39
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00816DD91_2_00816DD9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007FB1191_2_007FB119
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007E91C01_2_007E91C0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008013941_2_00801394
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008017061_2_00801706
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0080781B1_2_0080781B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007F997D1_2_007F997D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008019B01_2_008019B0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007E79201_2_007E7920
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00807A4A1_2_00807A4A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00807CA71_2_00807CA7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00801C771_2_00801C77
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00819EEE1_2_00819EEE
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0086BE441_2_0086BE44
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00801F321_2_00801F32
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_006036601_2_00603660
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043706A2_2_0043706A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004140052_2_00414005
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043E11C2_2_0043E11C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004541D92_2_004541D9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004381E82_2_004381E8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041F18B2_2_0041F18B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004462702_2_00446270
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043E34B2_2_0043E34B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004533AB2_2_004533AB
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0042742E2_2_0042742E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004375662_2_00437566
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043E5A82_2_0043E5A8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004387F02_2_004387F0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043797E2_2_0043797E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004339D72_2_004339D7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0044DA492_2_0044DA49
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00427AD72_2_00427AD7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041DBF32_2_0041DBF3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00427C402_2_00427C40
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00437DB32_2_00437DB3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00435EEB2_2_00435EEB
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043DEED2_2_0043DEED
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00426E9F2_2_00426E9F
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_010336602_2_01033660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032682983_2_03268298
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032080603_2_03208060
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032720463_2_03272046
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0323676B3_2_0323676B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0323E4FF3_2_0323E4FF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0322CAA03_2_0322CAA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0320CAF03_2_0320CAF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032948733_2_03294873
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03236DD93_2_03236DD9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0321CC393_2_0321CC39
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032213943_2_03221394
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0321B1193_2_0321B119
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032091C03_2_032091C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032217063_2_03221706
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03227A4A3_2_03227A4A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032079203_2_03207920
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0321997D3_2_0321997D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032219B03_2_032219B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0322781B3_2_0322781B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03221F323_2_03221F32
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0328BE443_2_0328BE44
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03239EEE3_2_03239EEE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03221C773_2_03221C77
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03227CA73_2_03227CA7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043706A8_2_0043706A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004140058_2_00414005
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043E11C8_2_0043E11C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004541D98_2_004541D9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004381E88_2_004381E8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041F18B8_2_0041F18B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004462708_2_00446270
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043E34B8_2_0043E34B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004533AB8_2_004533AB
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0042742E8_2_0042742E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004375668_2_00437566
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043E5A88_2_0043E5A8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004387F08_2_004387F0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043797E8_2_0043797E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004339D78_2_004339D7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0044DA498_2_0044DA49
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00427AD78_2_00427AD7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041DBF38_2_0041DBF3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00427C408_2_00427C40
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00437DB38_2_00437DB3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00435EEB8_2_00435EEB
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043DEED8_2_0043DEED
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00426E9F8_2_00426E9F
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_018A36608_2_018A3660
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 0040417E appears 46 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00402093 appears 100 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 007FF9F2 appears 31 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 004020DF appears 40 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00434801 appears 82 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00457AA8 appears 34 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00445951 appears 56 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 004046F7 appears 34 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00402213 appears 38 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 004052FD appears 32 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00800A30 appears 46 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00401E65 appears 70 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00434E70 appears 108 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00401FAB appears 44 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 0044854A appears 36 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00411FA2 appears 32 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03220A30 appears 46 times
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: String function: 00580A30 appears 46 times
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: String function: 0057F9F2 appears 31 times
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 568
                  Source: 3TpW2Sn68z.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@11/18@0/1
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D37B5 GetLastError,FormatMessageW,0_2_005D37B5
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C10BF AdjustTokenPrivileges,CloseHandle,0_2_005C10BF
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005C16C3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008410BF AdjustTokenPrivileges,CloseHandle,1_2_008410BF
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_008416C3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_0041798D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032610BF AdjustTokenPrivileges,CloseHandle,3_2_032610BF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,3_2_032616C3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_0041798D
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_005D51CD
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005EA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_005EA67C
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_005D648E
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_005642A2
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AADB
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeFile created: C:\Users\user\AppData\Local\directoryJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7660
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-FR1M2R-W
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-FR1M2R
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeFile created: C:\Users\user\AppData\Local\Temp\autA43A.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs"
                  Source: 3TpW2Sn68z.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 3TpW2Sn68z.exeReversingLabs: Detection: 50%
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeFile read: C:\Users\user\Desktop\3TpW2Sn68z.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\3TpW2Sn68z.exe "C:\Users\user\Desktop\3TpW2Sn68z.exe"
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\Desktop\3TpW2Sn68z.exe"
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe"
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 568
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe"
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\Desktop\3TpW2Sn68z.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: 3TpW2Sn68z.exeStatic file information: File size 1426944 > 1048576
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 3TpW2Sn68z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 3TpW2Sn68z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 3TpW2Sn68z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 3TpW2Sn68z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 3TpW2Sn68z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeUnpacked PE file: 2.2.RegAsymX.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeUnpacked PE file: 8.2.RegAsymX.exe.400000.0.unpack
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005642DE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00580A76 push ecx; ret 0_2_00580A89
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00800A76 push ecx; ret 1_2_00800A89
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00457186 push ecx; ret 2_2_00457199
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041C7F3 push eax; retf 2_2_0041C7FD
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00457AA8 push eax; ret 2_2_00457AC6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00434EB6 push ecx; ret 2_2_00434EC9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03220A76 push ecx; ret 3_2_03220A89
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00457186 push ecx; ret 8_2_00457199
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041C7F3 push eax; retf 8_2_0041C7FD
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00457AA8 push eax; ret 8_2_00457AC6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00434EB6 push ecx; ret 8_2_00434EC9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00406EEB ShellExecuteW,URLDownloadToFileW,2_2_00406EEB
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeFile created: C:\Users\user\AppData\Local\directory\RegAsymX.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AADB
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0057F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0057F98E
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_005F1C41
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_007FF98E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00871C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00871C41
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0321F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,3_2_0321F98E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03291C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,3_2_03291C41
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_0041CBE1
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040F7E2 Sleep,ExitProcess,2_2_0040F7E2
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040F7E2 Sleep,ExitProcess,8_2_0040F7E2
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96870
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_0041A7D9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0041A7D9
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeWindow / User API: threadDelayed 1632Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeWindow / User API: threadDelayed 1623Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeWindow / User API: threadDelayed 3312Jump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeAPI coverage: 3.8 %
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeAPI coverage: 3.7 %
                  Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 1.0 %
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeAPI coverage: 7.9 %
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 7640Thread sleep count: 41 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 7644Thread sleep count: 1632 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 7644Thread sleep time: -4896000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 7652Thread sleep count: 1623 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 7652Thread sleep time: -4869000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 5804Thread sleep count: 3312 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 5804Thread sleep time: -3312000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_005CDBBE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D68EE FindFirstFileW,FindClose,0_2_005D68EE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_005D698F
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005CD076
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005CD3A9
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005D9642
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005D979D
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_005D9B2B
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_005D5C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,1_2_0084DBBE
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008568EE FindFirstFileW,FindClose,1_2_008568EE
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0085698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,1_2_0085698F
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0084D076
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0084D3A9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00859642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00859642
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0085979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0085979D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00859B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00859B2B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00855C97 FindFirstFileW,FindNextFileW,FindClose,1_2_00855C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_0040928E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C322
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C388
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_004096A0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_00408847
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00407877 FindFirstFileW,FindNextFileW,2_2_00407877
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419B86
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0327698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,3_2_0327698F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032768EE FindFirstFileW,FindClose,3_2_032768EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_0326D3A9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_0326D076
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0327979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0327979D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03279642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_03279642
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03279B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_03279B2B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,3_2_0326DBBE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03275C97 FindFirstFileW,FindNextFileW,FindClose,3_2_03275C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407CD2
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005642DE
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: RegAsymX.exe, 00000002.00000002.4144358556.0000000001346000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll81
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005DEAA2 BlockInput,0_2_005DEAA2
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00592622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00592622
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005642DE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00584CE8 mov eax, dword ptr fs:[00000030h]0_2_00584CE8
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_020234F0 mov eax, dword ptr fs:[00000030h]0_2_020234F0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_02023550 mov eax, dword ptr fs:[00000030h]0_2_02023550
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_02021E7E mov eax, dword ptr fs:[00000030h]0_2_02021E7E
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_02021E90 mov eax, dword ptr fs:[00000030h]0_2_02021E90
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00804CE8 mov eax, dword ptr fs:[00000030h]1_2_00804CE8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_006034F0 mov eax, dword ptr fs:[00000030h]1_2_006034F0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00603550 mov eax, dword ptr fs:[00000030h]1_2_00603550
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00601E7E mov eax, dword ptr fs:[00000030h]1_2_00601E7E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00601E90 mov eax, dword ptr fs:[00000030h]1_2_00601E90
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00443355 mov eax, dword ptr fs:[00000030h]2_2_00443355
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_01033550 mov eax, dword ptr fs:[00000030h]2_2_01033550
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_010334F0 mov eax, dword ptr fs:[00000030h]2_2_010334F0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_01031E7E mov eax, dword ptr fs:[00000030h]2_2_01031E7E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_01031E90 mov eax, dword ptr fs:[00000030h]2_2_01031E90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03224CE8 mov eax, dword ptr fs:[00000030h]3_2_03224CE8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00443355 mov eax, dword ptr fs:[00000030h]8_2_00443355
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_018A3550 mov eax, dword ptr fs:[00000030h]8_2_018A3550
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_018A34F0 mov eax, dword ptr fs:[00000030h]8_2_018A34F0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_018A1E90 mov eax, dword ptr fs:[00000030h]8_2_018A1E90
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_018A1E7E mov eax, dword ptr fs:[00000030h]8_2_018A1E7E
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_005C0B62
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00592622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00592622
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0058083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0058083F
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005809D5 SetUnhandledExceptionFilter,0_2_005809D5
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00580C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00580C21
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00812622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00812622
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0080083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0080083F
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008009D5 SetUnhandledExceptionFilter,1_2_008009D5
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00800C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00800C21
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0043503C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00434A8A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043BB71
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00434BD8 SetUnhandledExceptionFilter,2_2_00434BD8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03232622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_03232622
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032209D5 SetUnhandledExceptionFilter,3_2_032209D5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0322083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0322083F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03220C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_03220C21
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0043503C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0043BB71
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00434BD8 SetUnhandledExceptionFilter,8_2_00434BD8

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,2_2_0041812A
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3179008Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_00412132
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_00412132
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_005C1201
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005A2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_005A2BA5
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CB226 SendInput,keybd_event,0_2_005CB226
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_005E22DA
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_005C0B62
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_005C1663
                  Source: 3TpW2Sn68z.exe, RegAsymX.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: RegAsymX.exe, 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2R\
                  Source: 3TpW2Sn68z.exe, RegAsymX.exeBinary or memory string: Shell_TrayWnd
                  Source: RegAsymX.exe, 00000002.00000002.4144358556.0000000001346000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2R\G
                  Source: RegAsymX.exe, 00000002.00000002.4144358556.0000000001346000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2R\Y
                  Source: RegAsymX.exe, 00000002.00000002.4144358556.0000000001346000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager@
                  Source: RegAsymX.exe, 00000002.00000002.4143971478.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9
                  Source: RegAsymX.exe, 00000002.00000002.4144358556.0000000001346000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.drBinary or memory string: [Program Manager]
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00580698 cpuid 0_2_00580698
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,2_2_0045201B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,2_2_004520B6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00452143
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,2_2_00452393
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,2_2_00448484
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004524BC
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,2_2_004525C3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00452690
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,2_2_0044896D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoA,2_2_0040F90C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00451D58
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,2_2_00451FD0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,8_2_0045201B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,8_2_004520B6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00452143
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,8_2_00452393
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,8_2_00448484
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004524BC
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,8_2_004525C3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00452690
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,8_2_0044896D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoA,8_2_0040F90C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00451D58
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,8_2_00451FD0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_005D8195
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005BD27A GetUserNameW,0_2_005BD27A
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0059BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0059BB6F
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005642DE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040BA4D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \key3.db2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \key3.db8_2_0040BB6B
                  Source: RegAsymX.exeBinary or memory string: WIN_81
                  Source: RegAsymX.exeBinary or memory string: WIN_XP
                  Source: RegAsymX.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: RegAsymX.exeBinary or memory string: WIN_XPe
                  Source: RegAsymX.exeBinary or memory string: WIN_VISTA
                  Source: RegAsymX.exeBinary or memory string: WIN_7
                  Source: RegAsymX.exeBinary or memory string: WIN_8

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-FR1M2RJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-FR1M2R-WJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: cmd.exe2_2_0040569A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: cmd.exe8_2_0040569A
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_005E1204
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_005E1806
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00861204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,1_2_00861204
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00861806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00861806
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03281204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,3_2_03281204
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03281806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,3_2_03281806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		1
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		11
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol121
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		2
                  Valid Accounts                  		1
                  Bypass User Account Control                  		2
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Windows Service                  		2
                  Valid Accounts                  		1
                  Software Packing                  		NTDS4
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		LSA Secrets26
                  System Information Discovery                  		SSHKeylogging1
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Windows Service                  		1
                  Bypass User Account Control                  		Cached Domain Credentials241
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items322
                  Process Injection                  		1
                  Masquerading                  		DCSync12
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Proc Filesystem2
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow11
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                  Access Token Manipulation                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd322
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1504845 Sample: 3TpW2Sn68z.exe Startdate: 05/09/2024 Architecture: WINDOWS Score: 100 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 9 3TpW2Sn68z.exe 6 2->9         started        13 wscript.exe 1 2->13         started        process3 file4 33 C:\Users\user\AppData\Local\...\RegAsymX.exe, PE32 9->33 dropped 67 Binary is likely a compiled AutoIt script file 9->67 69 Found API chain indicative of sandbox detection 9->69 15 RegAsymX.exe 3 9->15         started        71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->71 19 RegAsymX.exe 2 13->19         started        signatures5 process6 file7 35 C:\Users\user\AppData\...\RegAsymX.vbs, data 15->35 dropped 39 Multi AV Scanner detection for dropped file 15->39 41 Contains functionality to bypass UAC (CMSTPLUA) 15->41 43 Detected unpacking (creates a PE file in dynamic memory) 15->43 49 9 other signatures 15->49 21 RegAsymX.exe 5 4 15->21         started        45 Detected Remcos RAT 19->45 47 Binary is likely a compiled AutoIt script file 19->47 signatures8 process9 dnsIp10 37 84.38.132.103, 49730, 53009, 53013 DATACLUBLV Latvia 21->37 31 C:\ProgramData\remcos\logs.dat, data 21->31 dropped 59 Detected Remcos RAT 21->59 61 Binary is likely a compiled AutoIt script file 21->61 63 Writes to foreign memory regions 21->63 65 Maps a DLL or memory area into another process 21->65 26 svchost.exe 21->26         started        file11 signatures12 process13 signatures14 73 Binary is likely a compiled AutoIt script file 26->73 29 WerFault.exe 22 16 26->29         started        process15

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.