Windows Analysis Report
yPIOW6yoPi.exe

Overview

General Information

Sample name: yPIOW6yoPi.exe
renamed because original name is a hash value
Original sample name: 4d8f242a1d64b3b41748d2bd56ee6f7119434dedcdf793a83cea95fb31d13347.exe
Analysis ID: 1588844
MD5: a0acd7920f09a59331e008f8d3dc7ac1
SHA1: f6bf51b2bccc91476136e43a91b17076ed78b083
SHA256: 4d8f242a1d64b3b41748d2bd56ee6f7119434dedcdf793a83cea95fb31d13347
Tags: exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection

barindex
Source: yPIOW6yoPi.exe Avira: detected
Source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I7G983", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe ReversingLabs: Detection: 71%
Source: yPIOW6yoPi.exe ReversingLabs: Detection: 71%
Source: Yara match File source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2295191627.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2378390823.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2309481158.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: yPIOW6yoPi.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_0043293A
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_02122BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_02122BA1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 17_2_0043293A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00782BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 17_2_00782BA1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 20_2_0043293A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02162BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 20_2_02162BA1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 38_2_0043293A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021B2BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 38_2_021B2BA1
Source: yPIOW6yoPi.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

barindex
Source: Yara match File source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR

Privilege Escalation

barindex
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00406764 _wcslen,CoGetObject, 0_2_00406764
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00406764 _wcslen,CoGetObject, 17_2_00406764
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00406764 _wcslen,CoGetObject, 20_2_00406764
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00406764 _wcslen,CoGetObject, 38_2_00406764
Source: yPIOW6yoPi.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040B335
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 0_2_0041B42F
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040B53A
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0044D5E9 FindFirstFileExA, 0_2_0044D5E9
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 0_2_004089A9
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00406AC2 FindFirstFileW,FindNextFileW, 0_2_00406AC2
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 0_2_00407A8C
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00418C69
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 0_2_00408DA7
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_020F900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_020F900E
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0210B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 0_2_0210B696
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_020FB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_020FB59C
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0213D850 FindFirstFileExA, 0_2_0213D850
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_02108ED0 FindFirstFileW, 0_2_02108ED0
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_020F7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 0_2_020F7CF3
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_020F6D29 FindFirstFileW,FindNextFileW, 0_2_020F6D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 17_2_0041B42F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0044D5E9 FindFirstFileExA, 17_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 17_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00406AC2 FindFirstFileW,FindNextFileW, 17_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 17_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 17_2_00418C69
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 17_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0075900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_0075900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0075B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0075B59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0076B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 17_2_0076B696
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0079D850 FindFirstFileExA, 17_2_0079D850
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00757CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 17_2_00757CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00756D29 FindFirstFileW,FindNextFileW, 17_2_00756D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00768ED0 FindFirstFileW, 17_2_00768ED0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 20_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 20_2_0041B42F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 20_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0044D5E9 FindFirstFileExA, 20_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 20_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00406AC2 FindFirstFileW,FindNextFileW, 20_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 20_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 20_2_00418C69
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 20_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0213900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 20_2_0213900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0214B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 20_2_0214B696
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0213B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 20_2_0213B59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0217D850 FindFirstFileExA, 20_2_0217D850
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02148ED0 FindFirstFileW, 20_2_02148ED0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02137CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 20_2_02137CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02136D29 FindFirstFileW,FindNextFileW, 20_2_02136D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 38_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 38_2_0041B42F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 38_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0044D5E9 FindFirstFileExA, 38_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 38_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00406AC2 FindFirstFileW,FindNextFileW, 38_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 38_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 38_2_00418C69
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 38_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0218900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 38_2_0218900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0219B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 38_2_0219B696
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0218B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 38_2_0218B59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021CD850 FindFirstFileExA, 38_2_021CD850
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_02198ED0 FindFirstFileW, 38_2_02198ED0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_02187CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 38_2_02187CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_02186D29 FindFirstFileW,FindNextFileW, 38_2_02186D29
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00406F06

Networking

barindex
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49753 -> 198.23.227.212:32583
Source: Malware configuration extractor IPs: 198.23.227.212
Source: global traffic TCP traffic: 192.168.2.6:49753 -> 198.23.227.212:32583
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: Joe Sandbox View IP Address: 198.23.227.212 198.23.227.212
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49828 -> 178.237.33.50:80
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_004260F7 recv, 0_2_004260F7
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: yavascript.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: yavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp.
Source: yPIOW6yoPi.exe, 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yPIOW6yoPi.exe, 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, yPIOW6yoPi.exe, 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: yavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625247428.000000000088D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp4
Source: yavascript.exe, 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: yavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625247428.000000000088D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpk
Source: yavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625247428.000000000088D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpl
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000 0_2_004099E4
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_004159C6
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_004159C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 17_2_004159C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 20_2_004159C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 38_2_004159C6
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_004159C6
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 0_2_00409B10
Source: Yara match File source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR

E-Banking Fraud

barindex
Source: Yara match File source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2295191627.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2378390823.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2309481158.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0041BB77 SystemParametersInfoW, 0_2_0041BB77
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0210BDDE SystemParametersInfoW, 0_2_0210BDDE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0041BB77 SystemParametersInfoW, 17_2_0041BB77
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0076BDDE SystemParametersInfoW, 17_2_0076BDDE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0041BB77 SystemParametersInfoW, 20_2_0041BB77
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0214BDDE SystemParametersInfoW, 20_2_0214BDDE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0041BB77 SystemParametersInfoW, 38_2_0041BB77
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0219BDDE SystemParametersInfoW, 38_2_0219BDDE

System Summary

barindex
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2295009749.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000002.2309360524.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000026.00000002.2378502507.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.4624113726.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 0_2_0041CA9E
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, 0_2_0041ACC1
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, 0_2_0041ACED
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0210AF28 OpenProcess,NtSuspendProcess,CloseHandle, 0_2_0210AF28
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0210AF54 OpenProcess,NtResumeProcess,CloseHandle, 0_2_0210AF54
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0210CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 0_2_0210CD05
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 17_2_0041CA9E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, 17_2_0041ACC1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, 17_2_0041ACED
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0076CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 17_2_0076CD05
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0076AF54 OpenProcess,NtResumeProcess,CloseHandle, 17_2_0076AF54
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0076AF28 OpenProcess,NtSuspendProcess,CloseHandle, 17_2_0076AF28
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 20_2_0041CA9E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, 20_2_0041ACC1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, 20_2_0041ACED
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0214AF28 OpenProcess,NtSuspendProcess,CloseHandle, 20_2_0214AF28
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0214AF54 OpenProcess,NtResumeProcess,CloseHandle, 20_2_0214AF54
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0214CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 20_2_0214CD05
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 38_2_0041CA9E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, 38_2_0041ACC1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, 38_2_0041ACED
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0219AF28 OpenProcess,NtSuspendProcess,CloseHandle, 38_2_0219AF28
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0219AF54 OpenProcess,NtResumeProcess,CloseHandle, 38_2_0219AF54
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0219CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 38_2_0219CD05
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 0_2_004158B9
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_02105B1C ExitWindowsEx,LoadLibraryA,GetProcAddress, 0_2_02105B1C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 17_2_004158B9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00765B1C ExitWindowsEx,LoadLibraryA,GetProcAddress, 17_2_00765B1C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 20_2_004158B9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02145B1C ExitWindowsEx,LoadLibraryA,GetProcAddress, 20_2_02145B1C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 38_2_004158B9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_02195B1C ExitWindowsEx,LoadLibraryA,GetProcAddress, 38_2_02195B1C
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0041D071 0_2_0041D071
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_004520D2 0_2_004520D2
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0043D098 0_2_0043D098
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00437150 0_2_00437150
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_004361AA 0_2_004361AA
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00426254 0_2_00426254
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00431377 0_2_00431377
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0041E5DF 0_2_0041E5DF
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0044C739 0_2_0044C739
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_004267CB 0_2_004267CB
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0043C9DD 0_2_0043C9DD
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00432A49 0_2_00432A49
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0043CC0C 0_2_0043CC0C
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00434D22 0_2_00434D22
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00426E73 0_2_00426E73
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00440E20 0_2_00440E20
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0043CE3B 0_2_0043CE3B
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00412F45 0_2_00412F45
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00452F00 0_2_00452F00
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_00426FAD 0_2_00426FAD
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_02117214 0_2_02117214
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0210D2D8 0_2_0210D2D8
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0212D2FF 0_2_0212D2FF
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_02142339 0_2_02142339
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_021273B7 0_2_021273B7
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_02131087 0_2_02131087
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0212D0A2 0_2_0212D0A2
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_021170DA 0_2_021170DA
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_02126411 0_2_02126411
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_021164BB 0_2_021164BB
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_02116A32 0_2_02116A32
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0210E846 0_2_0210E846
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0212CE73 0_2_0212CE73
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_0212CC44 0_2_0212CC44
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: 0_2_02122CB0 0_2_02122CB0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0041D071 17_2_0041D071
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_004520D2 17_2_004520D2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0043D098 17_2_0043D098
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00437150 17_2_00437150
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_004361AA 17_2_004361AA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00426254 17_2_00426254
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00431377 17_2_00431377
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0041E5DF 17_2_0041E5DF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0044C739 17_2_0044C739
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_004267CB 17_2_004267CB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0043C9DD 17_2_0043C9DD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00432A49 17_2_00432A49
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0043CC0C 17_2_0043CC0C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00434D22 17_2_00434D22
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00426E73 17_2_00426E73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00440E20 17_2_00440E20
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0043CE3B 17_2_0043CE3B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00412F45 17_2_00412F45
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00452F00 17_2_00452F00
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00426FAD 17_2_00426FAD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_007770DA 17_2_007770DA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0078D0A2 17_2_0078D0A2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00791087 17_2_00791087
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00777214 17_2_00777214
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0078D2FF 17_2_0078D2FF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0076D2D8 17_2_0076D2D8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_007A2339 17_2_007A2339
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_007873B7 17_2_007873B7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00786411 17_2_00786411
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_007764BB 17_2_007764BB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0076E846 17_2_0076E846
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00776A32 17_2_00776A32
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0078CC44 17_2_0078CC44
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_00782CB0 17_2_00782CB0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 17_2_0078CE73 17_2_0078CE73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0041D071 20_2_0041D071
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_004520D2 20_2_004520D2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0043D098 20_2_0043D098
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00437150 20_2_00437150
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_004361AA 20_2_004361AA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00426254 20_2_00426254
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00431377 20_2_00431377
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0041E5DF 20_2_0041E5DF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0044C739 20_2_0044C739
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_004267CB 20_2_004267CB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0043C9DD 20_2_0043C9DD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00432A49 20_2_00432A49
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0043CC0C 20_2_0043CC0C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00434D22 20_2_00434D22
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00426E73 20_2_00426E73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00440E20 20_2_00440E20
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0043CE3B 20_2_0043CE3B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00412F45 20_2_00412F45
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00452F00 20_2_00452F00
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_00426FAD 20_2_00426FAD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02157214 20_2_02157214
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0214D2D8 20_2_0214D2D8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0216D2FF 20_2_0216D2FF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02182339 20_2_02182339
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_021673B7 20_2_021673B7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02171087 20_2_02171087
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0216D0A2 20_2_0216D0A2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_021570DA 20_2_021570DA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02166411 20_2_02166411
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_021564BB 20_2_021564BB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02156A32 20_2_02156A32
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0214E846 20_2_0214E846
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0216CE73 20_2_0216CE73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_0216CC44 20_2_0216CC44
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 20_2_02162CB0 20_2_02162CB0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0041D071 38_2_0041D071
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_004520D2 38_2_004520D2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0043D098 38_2_0043D098
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00437150 38_2_00437150
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_004361AA 38_2_004361AA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00426254 38_2_00426254
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00431377 38_2_00431377
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0041E5DF 38_2_0041E5DF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0044C739 38_2_0044C739
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_004267CB 38_2_004267CB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0043C9DD 38_2_0043C9DD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00432A49 38_2_00432A49
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0043CC0C 38_2_0043CC0C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00434D22 38_2_00434D22
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00426E73 38_2_00426E73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00440E20 38_2_00440E20
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0043CE3B 38_2_0043CE3B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00412F45 38_2_00412F45
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00452F00 38_2_00452F00
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_00426FAD 38_2_00426FAD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021A7214 38_2_021A7214
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0219D2D8 38_2_0219D2D8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021BD2FF 38_2_021BD2FF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021D2339 38_2_021D2339
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021B73B7 38_2_021B73B7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021C1087 38_2_021C1087
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021BD0A2 38_2_021BD0A2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021A70DA 38_2_021A70DA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021B6411 38_2_021B6411
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021A64BB 38_2_021A64BB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021A6A32 38_2_021A6A32
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_0219E846 38_2_0219E846
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021BCE73 38_2_021BCE73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021BCC44 38_2_021BCC44
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: 38_2_021B2CB0 38_2_021B2CB0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 0075234E appears 37 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 021B3B0C appears 41 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 02164217 appears 46 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 02163B0C appears 41 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 0043ADAE appears 45 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 021B4217 appears 46 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 0218234E appears 37 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00401D64 appears 64 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00447174 appears 54 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00401F66 appears 150 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00401FAA appears 63 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00403B40 appears 66 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00433FB0 appears 165 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00406478 appears 33 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00444B14 appears 84 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00404C9E appears 48 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 004026CE appears 45 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 004020E7 appears 118 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 004567E0 appears 39 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00401E8F appears 55 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00401E52 appears 33 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 004040BB appears 54 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00410D8D appears 54 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 004338A5 appears 123 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00783B0C appears 41 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 0213234E appears 37 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe Code function: String function: 00784217 appears 46 times
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: String function: 004020E7 appears 39 times
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: String function: 020F234E appears 37 times
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: String function: 02124217 appears 46 times
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: String function: 004338A5 appears 41 times
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: String function: 02123B0C appears 41 times
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Code function: String function: 00433FB0 appears 55 times
Source: C:\Users\user\Desktop\yPIOW6yoPi.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1000
Source: yPIOW6yoPi.exe, 00000000.00000003.2152739528.00000000005AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesDefence0 vs yPIOW6yoPi.exe
Source: yPIOW6yoPi.exe, 00000000.00000000.2143194743.0000000000463000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesDefence0 vs yPIOW6yoPi.exe
Source: yPIOW6yoPi.exe Binary or memory string: OriginalFilenamesDefence0 vs yPIOW6yoPi.exe
Source: yPIOW6yoPi.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSH<