Edit tour

Windows Analysis Report
IRSTaxRefund.exe

Overview

General Information

Sample name:	IRSTaxRefund.exe
Analysis ID:	1615763
MD5:	761f7bcf3a87c763b5731981a3eecfa1
SHA1:	54dcedae0c7aafa29a5f77837e24d5237c1bf3d5
SHA256:	8f9a49880a56f8eb66edc7d57d5d6325b4966de1204dfacc57cc381541cc23ed
Tags:	exeRATRemcosRATuser-abuse_ch
Infos:

Detection

DBatLoader, Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Delayed program exit found

Drops PE files with a suspicious file extension

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Creation with Colorcpl

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

IRSTaxRefund.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\IRSTaxRefund.exe" MD5: 761F7BCF3A87C763B5731981A3EECFA1)

cmd.exe (PID: 7340 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\TmohrqmbF.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7420 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\NEO.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

colorcpl.exe (PID: 7472 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

colorcpl.exe (PID: 7580 cmdline: C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\arbpnwwkbdbggftjlfvxogreibczuy" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

colorcpl.exe (PID: 7588 cmdline: C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\arbpnwwkbdbggftjlfvxogreibczuy" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

colorcpl.exe (PID: 7596 cmdline: C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\dlgiophmpltlilpvupprzllvriuivjxce" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

colorcpl.exe (PID: 7612 cmdline: C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\nnlao" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

Tmohrqmb.PIF (PID: 7732 cmdline: "C:\Users\Public\Libraries\Tmohrqmb.PIF" MD5: 761F7BCF3A87C763B5731981A3EECFA1)

SndVol.exe (PID: 7784 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)

Tmohrqmb.PIF (PID: 7976 cmdline: "C:\Users\Public\Libraries\Tmohrqmb.PIF" MD5: 761F7BCF3A87C763B5731981A3EECFA1)

SndVol.exe (PID: 8036 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["frontofficefax20.home-webserver.de:4126:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "oiuytu-9JC965", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "iuytrtyu", "Keylog file max size": ""}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\iuytrtyu\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000003.1894324058.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1696793726.000000000234D000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c68d:$a1: Remcos restarted by watchdog! 0x6cc05:$a3: %02i:%02i:%02i:%03i
0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66919:$str_a1: C:\Windows\System32\cmd.exe 0x66895:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66895:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66d95:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67395:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66989:$str_b2: Executing file: 0x677d1:$str_b3: GetDirectListeningPort 0x67185:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67305:$str_b7: \update.vbs 0x669b1:$str_b9: Downloaded file: 0x6699d:$str_b10: Downloading file: 0x66a41:$str_b12: Failed to upload file: 0x67799:$str_b13: StartForward 0x677b9:$str_b14: StopForward 0x6725d:$str_b15: fso.DeleteFile " 0x671f1:$str_b16: On Error Resume Next 0x6728d:$str_b17: fso.DeleteFolder " 0x66a31:$str_b18: Uploaded file: 0x669f1:$str_b19: Unable to delete: 0x67225:$str_b20: while fso.FileExists(" 0x66ece:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66805:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66795:$s1: CoGetObject 0x667a9:$s1: CoGetObject 0x667c5:$s1: CoGetObject 0x70405:$s1: CoGetObject 0x66755:$s2: Elevation:Administrator!new:
0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c68d:$a1: Remcos restarted by watchdog! 0x6cc05:$a3: %02i:%02i:%02i:%03i
0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66919:$str_a1: C:\Windows\System32\cmd.exe 0x66895:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66895:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66d95:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67395:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66989:$str_b2: Executing file: 0x677d1:$str_b3: GetDirectListeningPort 0x67185:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67305:$str_b7: \update.vbs 0x669b1:$str_b9: Downloaded file: 0x6699d:$str_b10: Downloading file: 0x66a41:$str_b12: Failed to upload file: 0x67799:$str_b13: StartForward 0x677b9:$str_b14: StopForward 0x6725d:$str_b15: fso.DeleteFile " 0x671f1:$str_b16: On Error Resume Next 0x6728d:$str_b17: fso.DeleteFolder " 0x66a31:$str_b18: Uploaded file: 0x669f1:$str_b19: Unable to delete: 0x67225:$str_b20: while fso.FileExists(" 0x66ece:$str_c0: [Firefox StoredLogins not found]
0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66805:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66795:$s1: CoGetObject 0x667a9:$s1: CoGetObject 0x667c5:$s1: CoGetObject 0x70405:$s1: CoGetObject 0x66755:$s2: Elevation:Administrator!new:
00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c68d:$a1: Remcos restarted by watchdog! 0x6cc05:$a3: %02i:%02i:%02i:%03i
00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66919:$str_a1: C:\Windows\System32\cmd.exe 0x66895:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66895:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66d95:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67395:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66989:$str_b2: Executing file: 0x677d1:$str_b3: GetDirectListeningPort 0x67185:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67305:$str_b7: \update.vbs 0x669b1:$str_b9: Downloaded file: 0x6699d:$str_b10: Downloading file: 0x66a41:$str_b12: Failed to upload file: 0x67799:$str_b13: StartForward 0x677b9:$str_b14: StopForward 0x6725d:$str_b15: fso.DeleteFile " 0x671f1:$str_b16: On Error Resume Next 0x6728d:$str_b17: fso.DeleteFolder " 0x66a31:$str_b18: Uploaded file: 0x669f1:$str_b19: Unable to delete: 0x67225:$str_b20: while fso.FileExists(" 0x66ece:$str_c0: [Firefox StoredLogins not found]
00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66805:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66795:$s1: CoGetObject 0x667a9:$s1: CoGetObject 0x667c5:$s1: CoGetObject 0x70405:$s1: CoGetObject 0x66755:$s2: Elevation:Administrator!new:
0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
00000005.00000002.4143664674.0000000003011000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
0000000B.00000003.1811250276.0000000000C40000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000003.1894262247.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
Process Memory Space: colorcpl.exe PID: 7472	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: colorcpl.exe PID: 7472	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: colorcpl.exe PID: 7472	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: colorcpl.exe PID: 7472	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: colorcpl.exe PID: 7472	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x2e6c9:$a1: Remcos restarted by watchdog! 0x4fe88:$a1: Remcos restarted by watchdog! 0x2ec26:$a3: %02i:%02i:%02i:%03i 0x2efde:$a3: %02i:%02i:%02i:%03i 0x503e5:$a3: %02i:%02i:%02i:%03i 0x5079d:$a3: %02i:%02i:%02i:%03i
Process Memory Space: colorcpl.exe PID: 7588	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: SndVol.exe PID: 7784	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: SndVol.exe PID: 7784	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: SndVol.exe PID: 7784	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SndVol.exe PID: 7784	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb8ef:$a1: Remcos restarted by watchdog! 0x1c378:$a1: Remcos restarted by watchdog! 0xbe4c:$a3: %02i:%02i:%02i:%03i 0xc204:$a3: %02i:%02i:%02i:%03i 0x1c8d5:$a3: %02i:%02i:%02i:%03i 0x1cc8d:$a3: %02i:%02i:%02i:%03i
Process Memory Space: SndVol.exe PID: 8036	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: SndVol.exe PID: 8036	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: SndVol.exe PID: 8036	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SndVol.exe PID: 8036	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xa105:$a1: Remcos restarted by watchdog! 0x1c0ef:$a1: Remcos restarted by watchdog! 0xa662:$a3: %02i:%02i:%02i:%03i 0xaa1a:$a3: %02i:%02i:%02i:%03i 0x1c64c:$a3: %02i:%02i:%02i:%03i 0x1ca04:$a3: %02i:%02i:%02i:%03i
Click to see the 50 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.SndVol.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.SndVol.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.SndVol.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.SndVol.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
11.2.SndVol.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
11.2.SndVol.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
11.2.SndVol.exe.4ac1985.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.SndVol.exe.4ac1985.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.SndVol.exe.4ac1985.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.SndVol.exe.4ac1985.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69308:$a1: Remcos restarted by watchdog! 0x69880:$a3: %02i:%02i:%02i:%03i
11.2.SndVol.exe.4ac1985.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x63594:$str_a1: C:\Windows\System32\cmd.exe 0x63510:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63510:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63a10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64010:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63604:$str_b2: Executing file: 0x6444c:$str_b3: GetDirectListeningPort 0x63e00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63f80:$str_b7: \update.vbs 0x6362c:$str_b9: Downloaded file: 0x63618:$str_b10: Downloading file: 0x636bc:$str_b12: Failed to upload file: 0x64414:$str_b13: StartForward 0x64434:$str_b14: StopForward 0x63ed8:$str_b15: fso.DeleteFile " 0x63e6c:$str_b16: On Error Resume Next 0x63f08:$str_b17: fso.DeleteFolder " 0x636ac:$str_b18: Uploaded file: 0x6366c:$str_b19: Unable to delete: 0x63ea0:$str_b20: while fso.FileExists(" 0x63b49:$str_c0: [Firefox StoredLogins not found]
11.2.SndVol.exe.4ac1985.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63480:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63410:$s1: CoGetObject 0x63424:$s1: CoGetObject 0x63440:$s1: CoGetObject 0x6d080:$s1: CoGetObject 0x633d0:$s2: Elevation:Administrator!new:
14.2.SndVol.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.SndVol.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.SndVol.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.SndVol.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
11.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.SndVol.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
14.2.SndVol.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
11.2.SndVol.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
11.2.SndVol.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
11.2.SndVol.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
0.2.IRSTaxRefund.exe.234d648.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
11.2.SndVol.exe.4ac0000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.SndVol.exe.4ac0000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.SndVol.exe.4ac0000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.SndVol.exe.4bc1985.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.SndVol.exe.4bc1985.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.SndVol.exe.4bc1985.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.SndVol.exe.4bc1985.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
11.2.SndVol.exe.4ac0000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.SndVol.exe.4bc1985.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
11.2.SndVol.exe.4ac0000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.SndVol.exe.4ac0000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.SndVol.exe.4bc1985.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
11.2.SndVol.exe.4ac0000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c68d:$a1: Remcos restarted by watchdog! 0x6cc05:$a3: %02i:%02i:%02i:%03i
11.2.SndVol.exe.4ac0000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ba8d:$a1: Remcos restarted by watchdog! 0x6c005:$a3: %02i:%02i:%02i:%03i
11.2.SndVol.exe.4ac0000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x65d19:$str_a1: C:\Windows\System32\cmd.exe 0x65c95:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65c95:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66195:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66795:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65d89:$str_b2: Executing file: 0x66bd1:$str_b3: GetDirectListeningPort 0x66585:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66705:$str_b7: \update.vbs 0x65db1:$str_b9: Downloaded file: 0x65d9d:$str_b10: Downloading file: 0x65e41:$str_b12: Failed to upload file: 0x66b99:$str_b13: StartForward 0x66bb9:$str_b14: StopForward 0x6665d:$str_b15: fso.DeleteFile " 0x665f1:$str_b16: On Error Resume Next 0x6668d:$str_b17: fso.DeleteFolder " 0x65e31:$str_b18: Uploaded file: 0x65df1:$str_b19: Unable to delete: 0x66625:$str_b20: while fso.FileExists(" 0x662ce:$str_c0: [Firefox StoredLogins not found]
11.2.SndVol.exe.4ac0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65c05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65b95:$s1: CoGetObject 0x65ba9:$s1: CoGetObject 0x65bc5:$s1: CoGetObject 0x6f805:$s1: CoGetObject 0x65b55:$s2: Elevation:Administrator!new:
11.2.SndVol.exe.4ac0000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66919:$str_a1: C:\Windows\System32\cmd.exe 0x66895:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66895:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66d95:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67395:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66989:$str_b2: Executing file: 0x677d1:$str_b3: GetDirectListeningPort 0x67185:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67305:$str_b7: \update.vbs 0x669b1:$str_b9: Downloaded file: 0x6699d:$str_b10: Downloading file: 0x66a41:$str_b12: Failed to upload file: 0x67799:$str_b13: StartForward 0x677b9:$str_b14: StopForward 0x6725d:$str_b15: fso.DeleteFile " 0x671f1:$str_b16: On Error Resume Next 0x6728d:$str_b17: fso.DeleteFolder " 0x66a31:$str_b18: Uploaded file: 0x669f1:$str_b19: Unable to delete: 0x67225:$str_b20: while fso.FileExists(" 0x66ece:$str_c0: [Firefox StoredLogins not found]
11.2.SndVol.exe.4ac0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66805:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66795:$s1: CoGetObject 0x667a9:$s1: CoGetObject 0x667c5:$s1: CoGetObject 0x70405:$s1: CoGetObject 0x66755:$s2: Elevation:Administrator!new:
14.2.SndVol.exe.4bc0000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.SndVol.exe.4bc0000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.SndVol.exe.4bc0000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.SndVol.exe.4bc0000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ba8d:$a1: Remcos restarted by watchdog! 0x6c005:$a3: %02i:%02i:%02i:%03i
14.2.SndVol.exe.4bc0000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x65d19:$str_a1: C:\Windows\System32\cmd.exe 0x65c95:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65c95:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66195:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66795:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65d89:$str_b2: Executing file: 0x66bd1:$str_b3: GetDirectListeningPort 0x66585:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66705:$str_b7: \update.vbs 0x65db1:$str_b9: Downloaded file: 0x65d9d:$str_b10: Downloading file: 0x65e41:$str_b12: Failed to upload file: 0x66b99:$str_b13: StartForward 0x66bb9:$str_b14: StopForward 0x6665d:$str_b15: fso.DeleteFile " 0x665f1:$str_b16: On Error Resume Next 0x6668d:$str_b17: fso.DeleteFolder " 0x65e31:$str_b18: Uploaded file: 0x65df1:$str_b19: Unable to delete: 0x66625:$str_b20: while fso.FileExists(" 0x662ce:$str_c0: [Firefox StoredLogins not found]
14.2.SndVol.exe.4bc0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65c05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65b95:$s1: CoGetObject 0x65ba9:$s1: CoGetObject 0x65bc5:$s1: CoGetObject 0x6f805:$s1: CoGetObject 0x65b55:$s2: Elevation:Administrator!new:
5.2.colorcpl.exe.7151985.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.colorcpl.exe.7151985.4.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.colorcpl.exe.7151985.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.colorcpl.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.colorcpl.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.colorcpl.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.colorcpl.exe.7151985.4.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
5.2.colorcpl.exe.7151985.4.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
5.2.colorcpl.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
5.2.colorcpl.exe.7151985.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
5.2.colorcpl.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
5.2.colorcpl.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
14.2.SndVol.exe.4bc0000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.SndVol.exe.4bc0000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.SndVol.exe.4bc0000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.SndVol.exe.4bc0000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c68d:$a1: Remcos restarted by watchdog! 0x6cc05:$a3: %02i:%02i:%02i:%03i
14.2.SndVol.exe.4bc0000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66919:$str_a1: C:\Windows\System32\cmd.exe 0x66895:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66895:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66d95:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67395:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66989:$str_b2: Executing file: 0x677d1:$str_b3: GetDirectListeningPort 0x67185:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67305:$str_b7: \update.vbs 0x669b1:$str_b9: Downloaded file: 0x6699d:$str_b10: Downloading file: 0x66a41:$str_b12: Failed to upload file: 0x67799:$str_b13: StartForward 0x677b9:$str_b14: StopForward 0x6725d:$str_b15: fso.DeleteFile " 0x671f1:$str_b16: On Error Resume Next 0x6728d:$str_b17: fso.DeleteFolder " 0x66a31:$str_b18: Uploaded file: 0x669f1:$str_b19: Unable to delete: 0x67225:$str_b20: while fso.FileExists(" 0x66ece:$str_c0: [Firefox StoredLogins not found]
14.2.SndVol.exe.4bc0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66805:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66795:$s1: CoGetObject 0x667a9:$s1: CoGetObject 0x667c5:$s1: CoGetObject 0x70405:$s1: CoGetObject 0x66755:$s2: Elevation:Administrator!new:
0.2.IRSTaxRefund.exe.234d648.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
14.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.SndVol.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
14.2.SndVol.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
14.2.SndVol.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
0.2.IRSTaxRefund.exe.2970000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
5.2.colorcpl.exe.7150000.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.colorcpl.exe.7150000.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.colorcpl.exe.7150000.3.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.colorcpl.exe.7150000.3.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ba8d:$a1: Remcos restarted by watchdog! 0x6c005:$a3: %02i:%02i:%02i:%03i
5.2.colorcpl.exe.7150000.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x65d19:$str_a1: C:\Windows\System32\cmd.exe 0x65c95:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65c95:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66195:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66795:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65d89:$str_b2: Executing file: 0x66bd1:$str_b3: GetDirectListeningPort 0x66585:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66705:$str_b7: \update.vbs 0x65db1:$str_b9: Downloaded file: 0x65d9d:$str_b10: Downloading file: 0x65e41:$str_b12: Failed to upload file: 0x66b99:$str_b13: StartForward 0x66bb9:$str_b14: StopForward 0x6665d:$str_b15: fso.DeleteFile " 0x665f1:$str_b16: On Error Resume Next 0x6668d:$str_b17: fso.DeleteFolder " 0x65e31:$str_b18: Uploaded file: 0x65df1:$str_b19: Unable to delete: 0x66625:$str_b20: while fso.FileExists(" 0x662ce:$str_c0: [Firefox StoredLogins not found]
5.2.colorcpl.exe.7150000.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65c05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65b95:$s1: CoGetObject 0x65ba9:$s1: CoGetObject 0x65bc5:$s1: CoGetObject 0x6f805:$s1: CoGetObject 0x65b55:$s2: Elevation:Administrator!new:
5.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.colorcpl.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
5.2.colorcpl.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
5.2.colorcpl.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
5.2.colorcpl.exe.7150000.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.colorcpl.exe.7150000.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.colorcpl.exe.7150000.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.colorcpl.exe.7150000.3.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c68d:$a1: Remcos restarted by watchdog! 0x6cc05:$a3: %02i:%02i:%02i:%03i
5.2.colorcpl.exe.7150000.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66919:$str_a1: C:\Windows\System32\cmd.exe 0x66895:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66895:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66d95:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67395:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66989:$str_b2: Executing file: 0x677d1:$str_b3: GetDirectListeningPort 0x67185:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67305:$str_b7: \update.vbs 0x669b1:$str_b9: Downloaded file: 0x6699d:$str_b10: Downloading file: 0x66a41:$str_b12: Failed to upload file: 0x67799:$str_b13: StartForward 0x677b9:$str_b14: StopForward 0x6725d:$str_b15: fso.DeleteFile " 0x671f1:$str_b16: On Error Resume Next 0x6728d:$str_b17: fso.DeleteFolder " 0x66a31:$str_b18: Uploaded file: 0x669f1:$str_b19: Unable to delete: 0x67225:$str_b20: while fso.FileExists(" 0x66ece:$str_c0: [Firefox StoredLogins not found]
5.2.colorcpl.exe.7150000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66805:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66795:$s1: CoGetObject 0x667a9:$s1: CoGetObject 0x667c5:$s1: CoGetObject 0x70405:$s1: CoGetObject 0x66755:$s2: Elevation:Administrator!new:
14.2.SndVol.exe.4bc1985.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.SndVol.exe.4bc1985.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.SndVol.exe.4bc1985.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.SndVol.exe.4bc1985.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69308:$a1: Remcos restarted by watchdog! 0x69880:$a3: %02i:%02i:%02i:%03i
14.2.SndVol.exe.4bc1985.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x63594:$str_a1: C:\Windows\System32\cmd.exe 0x63510:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63510:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63a10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64010:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63604:$str_b2: Executing file: 0x6444c:$str_b3: GetDirectListeningPort 0x63e00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63f80:$str_b7: \update.vbs 0x6362c:$str_b9: Downloaded file: 0x63618:$str_b10: Downloading file: 0x636bc:$str_b12: Failed to upload file: 0x64414:$str_b13: StartForward 0x64434:$str_b14: StopForward 0x63ed8:$str_b15: fso.DeleteFile " 0x63e6c:$str_b16: On Error Resume Next 0x63f08:$str_b17: fso.DeleteFolder " 0x636ac:$str_b18: Uploaded file: 0x6366c:$str_b19: Unable to delete: 0x63ea0:$str_b20: while fso.FileExists(" 0x63b49:$str_c0: [Firefox StoredLogins not found]
14.2.SndVol.exe.4bc1985.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63480:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63410:$s1: CoGetObject 0x63424:$s1: CoGetObject 0x63440:$s1: CoGetObject 0x6d080:$s1: CoGetObject 0x633d0:$s2: Elevation:Administrator!new:
5.2.colorcpl.exe.7151985.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.colorcpl.exe.7151985.4.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.colorcpl.exe.7151985.4.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.colorcpl.exe.7151985.4.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69308:$a1: Remcos restarted by watchdog! 0x69880:$a3: %02i:%02i:%02i:%03i
5.2.colorcpl.exe.7151985.4.unpack	REMCOS_RAT_variants	unknown	unknown	0x63594:$str_a1: C:\Windows\System32\cmd.exe 0x63510:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63510:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63a10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64010:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63604:$str_b2: Executing file: 0x6444c:$str_b3: GetDirectListeningPort 0x63e00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63f80:$str_b7: \update.vbs 0x6362c:$str_b9: Downloaded file: 0x63618:$str_b10: Downloading file: 0x636bc:$str_b12: Failed to upload file: 0x64414:$str_b13: StartForward 0x64434:$str_b14: StopForward 0x63ed8:$str_b15: fso.DeleteFile " 0x63e6c:$str_b16: On Error Resume Next 0x63f08:$str_b17: fso.DeleteFolder " 0x636ac:$str_b18: Uploaded file: 0x6366c:$str_b19: Unable to delete: 0x63ea0:$str_b20: while fso.FileExists(" 0x63b49:$str_c0: [Firefox StoredLogins not found]
5.2.colorcpl.exe.7151985.4.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63480:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63410:$s1: CoGetObject 0x63424:$s1: CoGetObject 0x63440:$s1: CoGetObject 0x6d080:$s1: CoGetObject 0x633d0:$s2: Elevation:Administrator!new:
11.2.SndVol.exe.4ac1985.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.SndVol.exe.4ac1985.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.SndVol.exe.4ac1985.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.SndVol.exe.4ac1985.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
11.2.SndVol.exe.4ac1985.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
11.2.SndVol.exe.4ac1985.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
Click to see the 106 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\IRSTaxRefund.exe, ProcessId: 7292, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Tmohrqmb.PIF" , CommandLine: "C:\Users\Public\Libraries\Tmohrqmb.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Tmohrqmb.PIF, NewProcessName: C:\Users\Public\Libraries\Tmohrqmb.PIF, OriginalFileName: C:\Users\Public\Libraries\Tmohrqmb.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\Public\Libraries\Tmohrqmb.PIF" , ProcessId: 7732, ProcessName: Tmohrqmb.PIF

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Tmohrqmb.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\IRSTaxRefund.exe, ProcessId: 7292, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tmohrqmb

Sigma detected: Suspicious Creation with Colorcpl

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7472, TargetFilename: C:\Users\user

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Tmohrqmb.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\IRSTaxRefund.exe, ProcessId: 7292, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tmohrqmb

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Tmohrqmb.PIF" , CommandLine: "C:\Users\Public\Libraries\Tmohrqmb.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Tmohrqmb.PIF, NewProcessName: C:\Users\Public\Libraries\Tmohrqmb.PIF, OriginalFileName: C:\Users\Public\Libraries\Tmohrqmb.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\Public\Libraries\Tmohrqmb.PIF" , ProcessId: 7732, ProcessName: Tmohrqmb.PIF

Suricata Signatures

ET MALWARE Remcos 3.x Unencrypted Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T12:36:11.706599+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49731	45.144.214.126	4126	TCP

ET MALWARE Remcos 3.x Unencrypted Server Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T12:36:12.606616+0100	2032777	1	Malware Command and Control Activity Detected	45.144.214.126	4126	192.168.2.4	49731	TCP
2025-02-15T12:38:21.529583+0100	2032777	1	Malware Command and Control Activity Detected	45.144.214.126	4126	192.168.2.4	49731	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T12:36:13.620424+0100	2803304	3	Unknown Traffic	192.168.2.4	49733	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.colorcpl.exe.7151985.4.raw.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["frontofficefax20.home-webserver.de:4126:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "oiuytu-9JC965", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "iuytrtyu", "Keylog file max size": ""}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Tmohrqmb.PIF

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Source: IRSTaxRefund.exe	ReversingLabs: Detection: 27%
Source: IRSTaxRefund.exe	Virustotal: Detection: 33%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.1894324058.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4143664674.0000000003011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1811250276.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1894262247.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\iuytrtyu\logs.dat, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	5_2_00432B45
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071838CA CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	5_2_071838CA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	11_2_00432B45
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF38CA CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	11_2_04AF38CA

Source: colorcpl.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 8036, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00406764 _wcslen,CoGetObject,		5_2_00406764
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00406764 _wcslen,CoGetObject,		11_2_00406764

Source: IRSTaxRefund.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: easinvoker.pdb source: IRSTaxRefund.exe, 00000000.00000002.1716729044.00000000207CB000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F060000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F073000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671125001.000000007ECEF000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000002.1716729044.000000002079C000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr
Source:	Binary string: easinvoker.pdbGCTL source: IRSTaxRefund.exe, 00000000.00000002.1716729044.00000000207CB000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1682384750.0000000000857000.00000004.00000020.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F060000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1682384750.0000000000886000.00000004.00000020.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F073000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671125001.000000007ECEF000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000002.1716729044.000000002079C000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0297534C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_0297534C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	5_2_0040B335
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	5_2_0040B53A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	5_2_0041B63A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	5_2_004089A9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,	5_2_00406AC2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	5_2_00407A8C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	5_2_00408DA7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	5_2_00418E5F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0716C3BF FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	5_2_0716C3BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0715C2BF FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	5_2_0715C2BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0715C0BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	5_2_0715C0BA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07158811 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	5_2_07158811
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0715972E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	5_2_0715972E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07159B2C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	5_2_07159B2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07169BE4 FindFirstFileW,	5_2_07169BE4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07157847 FindFirstFileW,FindNextFileW,	5_2_07157847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_052910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_052910F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0040AE51 FindFirstFileW,FindNextFileW,	7_2_0040AE51
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407EF8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	9_2_00407898
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040B335
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040B53A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	11_2_0041B63A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	11_2_004089A9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00406AC2 FindFirstFileW,FindNextFileW,	11_2_00406AC2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	11_2_00407A8C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	11_2_00408DA7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00418E5F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ACC0BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_04ACC0BA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ACC2BF FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_04ACC2BF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ADC3BF FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	11_2_04ADC3BF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AC8811 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	11_2_04AC8811
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AC972E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	11_2_04AC972E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AC7847 FindFirstFileW,FindNextFileW,	11_2_04AC7847
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AD9BE4 FindFirstFileW,	11_2_04AD9BE4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AC9B2C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	11_2_04AC9B2C

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

5_2_00406F06

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49731 -> 45.144.214.126:4126
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 45.144.214.126:4126 -> 192.168.2.4:49731

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: frontofficefax20.home-webserver.de

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 45.144.214.126:4126

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: HPC-MVM-ASHU HPC-MVM-ASHU

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49733 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_0040455B WaitForSingleObject,SetEvent,recv,

5_2_0040455B

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: colorcpl.exe, 00000005.00000002.4146646241.0000000005260000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000002.1727076537.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: colorcpl.exe, colorcpl.exe, 00000009.00000002.1727076537.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: colorcpl.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhv6B80.tmp.7.dr	String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6B80.tmp.7.dr	String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: colorcpl.exe, 00000007.00000003.1744514210.000000000304D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: colorcpl.exe, 00000007.00000003.1744514210.000000000304D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: colorcpl.exe, 00000005.00000002.4159571342.00000000260F0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.1745203628.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: colorcpl.exe, 00000005.00000002.4159571342.00000000260F0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.1745203628.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: frontofficefax20.home-webserver.de
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: colorcpl.exe, 00000005.00000003.1717700032.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1714653918.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1719040592.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1720924755.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721215104.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721716564.0000000003064000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/V
Source: colorcpl.exe, 00000005.00000003.1747361234.0000000003021000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721215104.000000000305E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4145914838.000000000305E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1717832744.000000000305C000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: colorcpl.exe, 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: colorcpl.exe, 00000005.00000002.4143664674.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp?
Source: colorcpl.exe, 00000005.00000003.1717700032.0000000003021000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721716564.0000000003030000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1714509144.0000000003031000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1720924755.0000000003030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpJ
Source: colorcpl.exe, 00000005.00000002.4143664674.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpQ
Source: colorcpl.exe, 00000005.00000003.1717700032.0000000003021000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4145546656.000000000302F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721716564.0000000003030000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1714509144.0000000003031000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1720924755.0000000003030000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1747361234.0000000003021000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: colorcpl.exe, 00000005.00000002.4143664674.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpT
Source: colorcpl.exe, 00000005.00000003.1717700032.0000000003021000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721716564.0000000003030000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1714509144.0000000003031000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1720924755.0000000003030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: colorcpl.exe, 00000005.00000003.1717700032.0000000003021000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4145546656.000000000302F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721716564.0000000003030000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1714509144.0000000003031000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1720924755.0000000003030000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1747361234.0000000003021000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpr
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: colorcpl.exe, colorcpl.exe, 00000009.00000002.1727076537.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: colorcpl.exe, colorcpl.exe, 00000009.00000002.1727740365.0000000000D5D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.1727076537.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: colorcpl.exe, 00000005.00000002.4146646241.0000000005260000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000002.1727076537.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: colorcpl.exe, 00000005.00000002.4146646241.0000000005260000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000002.1727076537.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: colorcpl.exe, 00000009.00000002.1727740365.0000000000D5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comta
Source: bhv6B80.tmp.7.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: colorcpl.exe, 00000007.00000002.1745441308.0000000000A34000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: colorcpl.exe, 00000009.00000002.1727076537.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: IRSTaxRefund.exe, 00000000.00000002.1741661236.000000007ED9F000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000002.1716729044.0000000020839000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F0EC000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F073000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: colorcpl.exe, 00000007.00000003.1744514210.000000000304D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: colorcpl.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: colorcpl.exe, colorcpl.exe, 00000009.00000002.1727076537.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: colorcpl.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv6B80.tmp.7.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

5_2_004099E4

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_00415B5E

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	5_2_00415B5E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071668E3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	5_2_071668E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	7_2_0040987A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	7_2_004098E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	8_2_00406DFC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	8_2_00406E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	9_2_004068B5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	9_2_004072B5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	11_2_00415B5E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AD68E3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	11_2_04AD68E3

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_00415B5E

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

5_2_00409B10

Source: Yara match	File source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 8036, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.1894324058.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4143664674.0000000003011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1811250276.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1894262247.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\iuytrtyu\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0041BD82 SystemParametersInfoW,	5_2_0041BD82
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0716CB07 SystemParametersInfoW,	5_2_0716CB07
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0041BD82 SystemParametersInfoW,	11_2_0041BD82
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ADCB07 SystemParametersInfoW,	11_2_04ADCB07

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: colorcpl.exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 7784, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 8036, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: IRSTaxRefund.exe

Source: C:\Windows\SysWOW64\colorcpl.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029833F8 NtWriteVirtualMemory,	0_2_029833F8
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029830AC NtAllocateVirtualMemory,	0_2_029830AC
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029896E4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_029896E4
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02989600 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02989600
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02989578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02989578
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02986A8C GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,	0_2_02986A8C
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029842A8 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_029842A8
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029842A6 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_029842A6
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029830AA NtAllocateVirtualMemory,	0_2_029830AA
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02989524 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02989524
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02983A14 NtProtectVirtualMemory,	0_2_02983A14
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0041742B GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	5_2_0041742B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0041AECC OpenProcess,NtSuspendProcess,CloseHandle,	5_2_0041AECC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0041AEF8 OpenProcess,NtResumeProcess,CloseHandle,	5_2_0041AEF8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071681B0 CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	5_2_071681B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0716BC51 OpenProcess,NtSuspendProcess,CloseHandle,	5_2_0716BC51
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0716BC7D OpenProcess,NtResumeProcess,CloseHandle,	5_2_0716BC7D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0716DA2E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	5_2_0716DA2E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	7_2_0040DD85
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00401806 NtdllDefWindowProc_W,	7_2_00401806
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_004018C0 NtdllDefWindowProc_W,	7_2_004018C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_004016FD NtdllDefWindowProc_A,	8_2_004016FD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_004017B7 NtdllDefWindowProc_A,	8_2_004017B7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_00402CAC NtdllDefWindowProc_A,	9_2_00402CAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_00402D66 NtdllDefWindowProc_A,	9_2_00402D66
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC6A8C GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,	10_2_02AC6A8C
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC33F8 NtWriteVirtualMemory,	10_2_02AC33F8
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC30AC NtAllocateVirtualMemory,	10_2_02AC30AC
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC96E4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	10_2_02AC96E4
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC3AAC NtProtectVirtualMemory,	10_2_02AC3AAC
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC42A8 Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,	10_2_02AC42A8
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC42A6 Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,	10_2_02AC42A6
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC3A14 NtProtectVirtualMemory,	10_2_02AC3A14
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC30AA NtAllocateVirtualMemory,	10_2_02AC30AA
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC9600 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	10_2_02AC9600
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC3493 NtWriteVirtualMemory,	10_2_02AC3493
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC9524 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	10_2_02AC9524
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AC9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	10_2_02AC9578
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ADDA2E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	11_2_04ADDA2E

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Code function: 0_2_0298AE54 InetIsOffline,Sleep,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_0298AE54

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,	5_2_00415A51
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071667D6 ExitWindowsEx,LoadLibraryA,GetProcAddress,	5_2_071667D6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,	11_2_00415A51
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AD67D6 ExitWindowsEx,LoadLibraryA,GetProcAddress,	11_2_04AD67D6

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \SysWOW64	Jump to behavior

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

File deleted: C:\Windows \SysWOW64\svchost.pif

Jump to behavior

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029720B4	0_2_029720B4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0043D04B	5_2_0043D04B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0042707E	5_2_0042707E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0041301D	5_2_0041301D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00441030	5_2_00441030
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00453110	5_2_00453110
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_004271B8	5_2_004271B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0041D27C	5_2_0041D27C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_004522E2	5_2_004522E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0043D2A8	5_2_0043D2A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00437360	5_2_00437360
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_004363BA	5_2_004363BA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0042645F	5_2_0042645F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00431582	5_2_00431582
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0043672C	5_2_0043672C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0041E7EA	5_2_0041E7EA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0044C949	5_2_0044C949
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_004269D6	5_2_004269D6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_004369D6	5_2_004369D6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0043CBED	5_2_0043CBED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00432C54	5_2_00432C54
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00436C9D	5_2_00436C9D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0043CE1C	5_2_0043CE1C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00436F58	5_2_00436F58
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00434F32	5_2_00434F32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07182307	5_2_07182307
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0716E001	5_2_0716E001
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0718E02D	5_2_0718E02D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071880E5	5_2_071880E5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0718775B	5_2_0718775B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0717775B	5_2_0717775B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0719D6CE	5_2_0719D6CE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0716F56F	5_2_0716F56F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071874B1	5_2_071874B1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0718713F	5_2_0718713F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071771E4	5_2_071771E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071A3067	5_2_071A3067
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07177F3D	5_2_07177F3D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07177E03	5_2_07177E03
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07191DB5	5_2_07191DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07163DA2	5_2_07163DA2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0718DDD0	5_2_0718DDD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07185CB7	5_2_07185CB7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07187CDD	5_2_07187CDD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0718DBA1	5_2_0718DBA1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07187A22	5_2_07187A22
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0718D972	5_2_0718D972
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071839D9	5_2_071839D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0529B5C1	5_2_0529B5C1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_052A7194	5_2_052A7194
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0044B040	7_2_0044B040
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0043610D	7_2_0043610D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00447310	7_2_00447310
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0044A490	7_2_0044A490
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0040755A	7_2_0040755A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0043C560	7_2_0043C560
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0044B610	7_2_0044B610
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0044D6C0	7_2_0044D6C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_004476F0	7_2_004476F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0044B870	7_2_0044B870
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0044081D	7_2_0044081D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00414957	7_2_00414957
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_004079EE	7_2_004079EE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00407AEB	7_2_00407AEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0044AA80	7_2_0044AA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00412AA9	7_2_00412AA9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00404B74	7_2_00404B74
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00404B03	7_2_00404B03
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0044BBD8	7_2_0044BBD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00404BE5	7_2_00404BE5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00404C76	7_2_00404C76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00415CFE	7_2_00415CFE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00416D72	7_2_00416D72
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00446D30	7_2_00446D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00446D8B	7_2_00446D8B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00406E8F	7_2_00406E8F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00405038	8_2_00405038
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0041208C	8_2_0041208C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_004050A9	8_2_004050A9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0040511A	8_2_0040511A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0043C13A	8_2_0043C13A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_004051AB	8_2_004051AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00449300	8_2_00449300
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0040D322	8_2_0040D322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0044A4F0	8_2_0044A4F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0043A5AB	8_2_0043A5AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00413631	8_2_00413631
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00446690	8_2_00446690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0044A730	8_2_0044A730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_004398D8	8_2_004398D8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_004498E0	8_2_004498E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0044A886	8_2_0044A886
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0043DA09	8_2_0043DA09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00438D5E	8_2_00438D5E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00449ED0	8_2_00449ED0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_0041FE83	8_2_0041FE83
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00430F54	8_2_00430F54
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_004050C2	9_2_004050C2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_004014AB	9_2_004014AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_00405133	9_2_00405133
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_004051A4	9_2_004051A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_00401246	9_2_00401246
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_0040CA46	9_2_0040CA46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_00405235	9_2_00405235
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_004032C8	9_2_004032C8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_00401689	9_2_00401689
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_00402F60	9_2_00402F60
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: 10_2_02AB20B4	10_2_02AB20B4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0043D04B	11_2_0043D04B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0042707E	11_2_0042707E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0041301D	11_2_0041301D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00441030	11_2_00441030
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00453110	11_2_00453110
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_004271B8	11_2_004271B8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0041D27C	11_2_0041D27C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_004522E2	11_2_004522E2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0043D2A8	11_2_0043D2A8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00437360	11_2_00437360
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_004363BA	11_2_004363BA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0042645F	11_2_0042645F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00431582	11_2_00431582
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0043672C	11_2_0043672C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0041E7EA	11_2_0041E7EA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0044C949	11_2_0044C949
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_004269D6	11_2_004269D6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_004369D6	11_2_004369D6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0043CBED	11_2_0043CBED
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00432C54	11_2_00432C54
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00436C9D	11_2_00436C9D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0043CE1C	11_2_0043CE1C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00436F58	11_2_00436F58
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00434F32	11_2_00434F32
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF80E5	11_2_04AF80E5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AFE02D	11_2_04AFE02D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ADE001	11_2_04ADE001
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF2307	11_2_04AF2307
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF74B1	11_2_04AF74B1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ADF56F	11_2_04ADF56F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04B0D6CE	11_2_04B0D6CE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF775B	11_2_04AF775B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AE775B	11_2_04AE775B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04B13067	11_2_04B13067
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AE71E4	11_2_04AE71E4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF713F	11_2_04AF713F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF5CB7	11_2_04AF5CB7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF7CDD	11_2_04AF7CDD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04B01DB5	11_2_04B01DB5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AD3DA2	11_2_04AD3DA2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AFDDD0	11_2_04AFDDD0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AE7E03	11_2_04AE7E03
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AE7F3D	11_2_04AE7F3D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF39D9	11_2_04AF39D9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AFD972	11_2_04AFD972
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF7A22	11_2_04AF7A22
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AFDBA1	11_2_04AFDBA1

Source: Joe Sandbox View

Dropped File: C:\Windows \SysWOW64\svchost.pif 0DB4D3FFDB96D13CF3B427AF8BE66D985728C55AE254E4B67D287797E4C0B323

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: String function: 02974444 appears 154 times
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: String function: 02983E98 appears 50 times
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: String function: 0297424C appears 64 times
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: String function: 029745D0 appears 576 times
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: String function: 02974270 appears 31 times
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: String function: 02AB45D0 appears 576 times
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: String function: 02AC3E98 appears 50 times
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: String function: 02AB4444 appears 154 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00433AB0 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 004341C0 appears 55 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 07152E6C appears 39 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 004020E7 appears 40 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 07184835 appears 40 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 07184F45 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 004020E7 appears 39 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00433AB0 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 04AC2E6C appears 39 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 004341C0 appears 55 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 04AF4F45 appears 54 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 04AF4835 appears 40 times

Source: NETUTILS.dll.0.dr

Static PE information: Number of sections : 19 > 10

Source: IRSTaxRefund.exe, 00000000.00000003.1671125001.000000007ED0C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs IRSTaxRefund.exe
Source: IRSTaxRefund.exe, 00000000.00000002.1716729044.00000000207CB000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs IRSTaxRefund.exe
Source: IRSTaxRefund.exe, 00000000.00000002.1741661236.000000007ED9F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs IRSTaxRefund.exe
Source: IRSTaxRefund.exe, 00000000.00000002.1716729044.0000000020839000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs IRSTaxRefund.exe
Source: IRSTaxRefund.exe, 00000000.00000002.1716729044.0000000020839000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs IRSTaxRefund.exe
Source: IRSTaxRefund.exe, 00000000.00000003.1682384750.00000000008AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs IRSTaxRefund.exe
Source: IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F0EC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs IRSTaxRefund.exe
Source: IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F0EC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs IRSTaxRefund.exe
Source: IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F073000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs IRSTaxRefund.exe
Source: IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F073000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs IRSTaxRefund.exe
Source: IRSTaxRefund.exe, 00000000.00000003.1682384750.000000000087B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs IRSTaxRefund.exe

Source: IRSTaxRefund.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: colorcpl.exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 7784, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 8036, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@25/11@2/2

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

7_2_004182CE

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	5_2_00416C9D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07167A22 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	5_2_07167A22
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,	9_2_00410DE1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	11_2_00416C9D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AD7A22 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	11_2_04AD7A22

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Code function: 0_2_029779B4 GetDiskFreeSpaceA,

0_2_029779B4

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Code function: 0_2_0298670C CreateToolhelp32Snapshot,

0_2_0298670C

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_0041A84A FindResourceA,LoadResource,LockResource,SizeofResource,

5_2_0041A84A

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_00419DBA

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

File created: C:\Users\Public\TmohrqmbF.cmd

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Mutant created: \Sessions\1\BaseNamedObjects\oiuytu-9JC965
Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03

Source: C:\Windows\SysWOW64\colorcpl.exe

File created: C:\Users\user\AppData\Local\Temp\bhv6B80.tmp

Jump to behavior

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: colorcpl.exe, colorcpl.exe, 00000007.00000002.1745203628.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: colorcpl.exe, colorcpl.exe, 00000008.00000002.1725654279.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: colorcpl.exe, 00000005.00000002.4159571342.00000000260F0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.1745203628.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: colorcpl.exe, colorcpl.exe, 00000007.00000002.1745203628.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: colorcpl.exe, colorcpl.exe, 00000007.00000002.1745203628.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: colorcpl.exe, colorcpl.exe, 00000007.00000002.1745203628.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: colorcpl.exe, 00000007.00000002.1746331179.000000000481A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.1744859230.000000000481A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.1744310231.000000000481A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: colorcpl.exe, colorcpl.exe, 00000007.00000002.1745203628.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: IRSTaxRefund.exe	ReversingLabs: Detection: 27%
Source: IRSTaxRefund.exe	Virustotal: Detection: 33%

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

File read: C:\Users\user\Desktop\IRSTaxRefund.exe

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\IRSTaxRefund.exe "C:\Users\user\Desktop\IRSTaxRefund.exe"
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\TmohrqmbF.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\NEO.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\arbpnwwkbdbggftjlfvxogreibczuy"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\arbpnwwkbdbggftjlfvxogreibczuy"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\dlgiophmpltlilpvupprzllvriuivjxce"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\nnlao"
Source: unknown	Process created: C:\Users\Public\Libraries\Tmohrqmb.PIF "C:\Users\Public\Libraries\Tmohrqmb.PIF"
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Tmohrqmb.PIF "C:\Users\Public\Libraries\Tmohrqmb.PIF"
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\TmohrqmbF.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\NEO.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\arbpnwwkbdbggftjlfvxogreibczuy"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\arbpnwwkbdbggftjlfvxogreibczuy"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\dlgiophmpltlilpvupprzllvriuivjxce"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\nnlao"	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sti.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: atlthunk.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: wininet.dll

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\colorcpl.exe

Window detected: Number of UI elements: 12

Source: C:\Windows\SysWOW64\colorcpl.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: IRSTaxRefund.exe

Static file information: File size 1629696 > 1048576

Source: IRSTaxRefund.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x114c00

Source:	Binary string: easinvoker.pdb source: IRSTaxRefund.exe, 00000000.00000002.1716729044.00000000207CB000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F060000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F073000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671125001.000000007ECEF000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000002.1716729044.000000002079C000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr
Source:	Binary string: easinvoker.pdbGCTL source: IRSTaxRefund.exe, 00000000.00000002.1716729044.00000000207CB000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1682384750.0000000000857000.00000004.00000020.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F060000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1682384750.0000000000886000.00000004.00000020.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671698705.000000007F073000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000003.1671125001.000000007ECEF000.00000004.00001000.00020000.00000000.sdmp, IRSTaxRefund.exe, 00000000.00000002.1716729044.000000002079C000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 0.2.IRSTaxRefund.exe.234d648.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IRSTaxRefund.exe.234d648.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IRSTaxRefund.exe.2970000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1696793726.000000000234D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: svchost.pif.0.dr

Static PE information: 0xA57E43AD [Tue Dec 25 14:18:21 2057 UTC]

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Code function: 0_2_02983E98 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02983E98

Source: NETUTILS.dll.0.dr	Static PE information: real checksum: 0x2792e should be: 0x28440
Source: Tmohrqmb.PIF.0.dr	Static PE information: real checksum: 0x0 should be: 0x1988e0
Source: IRSTaxRefund.exe	Static PE information: real checksum: 0x0 should be: 0x1988e0

Source: svchost.pif.0.dr	Static PE information: section name: .imrsiv
Source: svchost.pif.0.dr	Static PE information: section name: .didat
Source: NETUTILS.dll.0.dr	Static PE information: section name: .xdata
Source: NETUTILS.dll.0.dr	Static PE information: section name: /4
Source: NETUTILS.dll.0.dr	Static PE information: section name: /19
Source: NETUTILS.dll.0.dr	Static PE information: section name: /31
Source: NETUTILS.dll.0.dr	Static PE information: section name: /45
Source: NETUTILS.dll.0.dr	Static PE information: section name: /57
Source: NETUTILS.dll.0.dr	Static PE information: section name: /70
Source: NETUTILS.dll.0.dr	Static PE information: section name: /81
Source: NETUTILS.dll.0.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029962A4 push 0299630Fh; ret	0_2_02996307
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02973240 push eax; ret	0_2_0297327C
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029960AC push 02996125h; ret	0_2_0299611D
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02986018 push 02986050h; ret	0_2_02986048
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02984010 push 02984048h; ret	0_2_02984040
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0298400E push 02984048h; ret	0_2_02984040
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029761BE push 02976202h; ret	0_2_029761FA
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029761C0 push 02976202h; ret	0_2_029761FA
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_029961F8 push 02996288h; ret	0_2_02996280
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02996144 push 029961ECh; ret	0_2_029961E4
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0297F677 push 0297F6C5h; ret	0_2_0297F6BD
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0297F678 push 0297F6C5h; ret	0_2_0297F6BD
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02982488 push ecx; mov dword ptr [esp], edx	0_2_0298248A
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0297C4FD push 0297C696h; ret	0_2_0297C68E
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0297C510 push 0297C696h; ret	0_2_0297C68E
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0297F56C push 0297F5E2h; ret	0_2_0297F5DA
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0298A8B4 push ecx; mov dword ptr [esp], edx	0_2_0298A8B9
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0298A918 push ecx; mov dword ptr [esp], edx	0_2_0298A91D
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0297BE90 push ecx; mov dword ptr [esp], edx	0_2_0297BE95
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0297CEF8 pushad ; iretd	0_2_0297CEF9
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0297CE58 push 0297CE84h; ret	0_2_0297CE7C
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02982F52 push 02982FFFh; ret	0_2_02982FF7
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02982F54 push 02982FFFh; ret	0_2_02982FF7
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02995C0C push 02995DE8h; ret	0_2_02995DE0
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02983DB8 push 02983DFAh; ret	0_2_02983DF2
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02975DF4 push 02975E4Fh; ret	0_2_02975E47
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_02975DF2 push 02975E4Fh; ret	0_2_02975E47
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_004560BF push ecx; ret	5_2_004560D2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00434206 push ecx; ret	5_2_00434219
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0045C9DD push esi; ret	5_2_0045C9E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_004569F0 push eax; ret	5_2_00456A0E

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	File created: C:\Windows \SysWOW64\svchost.pif			Jump to dropped file
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	File created: C:\Users\Public\Libraries\Tmohrqmb.PIF			Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00406128 ShellExecuteW,URLDownloadToFileW,

5_2_00406128

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	File created: C:\Users\Public\Libraries\Tmohrqmb.PIF	Jump to dropped file
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to dropped file

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	File created: C:\Windows \SysWOW64\svchost.pif			Jump to dropped file
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_00419DBA

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tmohrqmb			Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tmohrqmb			Jump to behavior

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Code function: 0_2_02986490 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02986490

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2A10000 memory commit 500064256	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2A11000 memory commit 500154368	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2A36000 memory commit 500002816	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2A42000 memory commit 501014528	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2B3A000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2B3B000 memory commit 500015104	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Memory allocated: 2970000 memory commit 500064256	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Memory allocated: 2971000 memory commit 500154368	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Memory allocated: 2996000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Memory allocated: 29A2000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Memory allocated: 2A9A000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Memory allocated: 2A9B000 memory commit 500015104	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2AB0000 memory commit 500064256	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2AB1000 memory commit 500154368	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2AD6000 memory commit 500002816	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2AE2000 memory commit 501014528	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2BDA000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: 2BDB000 memory commit 500015104	Jump to behavior

Delayed program exit found

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0040E627 Sleep,ExitProcess,	5_2_0040E627
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0715F3AC Sleep,ExitProcess,	5_2_0715F3AC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0040E627 Sleep,ExitProcess,	11_2_0040E627
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ACF3AC Sleep,ExitProcess,	11_2_04ACF3AC

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

7_2_0040DD85

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	5_2_00419AB8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	5_2_0716A83D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	11_2_00419AB8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	11_2_04ADA83D

Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 9230			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: foregroundWindowGot 1757			Jump to behavior

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Dropped PE file which has not been started: C:\Windows \SysWOW64\svchost.pif

Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_5-100292

Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 9.0 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 9.3 %
Source: C:\Windows\SysWOW64\SndVol.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7516	Thread sleep time: -83500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7520	Thread sleep time: -1008000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7520	Thread sleep time: -27690000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: 0_2_0297534C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_0297534C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	5_2_0040B335
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	5_2_0040B53A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	5_2_0041B63A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	5_2_004089A9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,	5_2_00406AC2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	5_2_00407A8C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	5_2_00408DA7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	5_2_00418E5F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0716C3BF FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	5_2_0716C3BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0715C2BF FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	5_2_0715C2BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0715C0BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	5_2_0715C0BA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07158811 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	5_2_07158811
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0715972E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	5_2_0715972E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07159B2C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	5_2_07159B2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07169BE4 FindFirstFileW,	5_2_07169BE4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07157847 FindFirstFileW,FindNextFileW,	5_2_07157847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_052910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_052910F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0040AE51 FindFirstFileW,FindNextFileW,	7_2_0040AE51
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407EF8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	9_2_00407898
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040B335
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040B53A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	11_2_0041B63A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	11_2_004089A9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00406AC2 FindFirstFileW,FindNextFileW,	11_2_00406AC2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	11_2_00407A8C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	11_2_00408DA7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00418E5F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ACC0BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_04ACC0BA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ACC2BF FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_04ACC2BF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04ADC3BF FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	11_2_04ADC3BF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AC8811 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	11_2_04AC8811
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AC972E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	11_2_04AC972E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AC7847 FindFirstFileW,FindNextFileW,	11_2_04AC7847
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AD9BE4 FindFirstFileW,	11_2_04AD9BE4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AC9B2C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	11_2_04AC9B2C

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

5_2_00406F06

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_00418981 memset,GetSystemInfo,

7_2_00418981

Source: colorcpl.exe, 00000005.00000003.1717700032.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1714653918.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1719040592.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1720924755.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721215104.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721716564.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWo
Source: IRSTaxRefund.exe, 00000000.00000002.1695797145.000000000080C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: colorcpl.exe, 00000005.00000003.1717700032.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1714653918.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1719040592.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1720924755.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721215104.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1721716564.0000000003064000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4143664674.0000000003011000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv6B80.tmp.7.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: Tmohrqmb.PIF, 0000000A.00000002.1812072516.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Tmohrqmb.PIF, 0000000D.00000002.1895627021.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bhv6B80.tmp.7.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	API call chain: ExitProcess graph end node	graph_0-23759
Source: C:\Windows\SysWOW64\colorcpl.exe	API call chain: ExitProcess graph end node	graph_5-101855
Source: C:\Windows\SysWOW64\colorcpl.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_0043A86D

Source: C:\Windows\SysWOW64\colorcpl.exe

7_2_0040DD85

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Code function: 0_2_02983E98 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02983E98

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00442764 mov eax, dword ptr fs:[00000030h]	5_2_00442764
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071510FB mov eax, dword ptr fs:[00000030h]	5_2_071510FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071510FB mov eax, dword ptr fs:[00000030h]	5_2_071510FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071934E9 mov eax, dword ptr fs:[00000030h]	5_2_071934E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_05294AB4 mov eax, dword ptr fs:[00000030h]	5_2_05294AB4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00442764 mov eax, dword ptr fs:[00000030h]	11_2_00442764
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AC10FB mov eax, dword ptr fs:[00000030h]	11_2_04AC10FB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AC10FB mov eax, dword ptr fs:[00000030h]	11_2_04AC10FB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04B034E9 mov eax, dword ptr fs:[00000030h]	11_2_04B034E9

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00410BF1 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

5_2_00410BF1

Source: C:\Windows\SysWOW64\colorcpl.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00434378
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0043A86D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00433D4F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_00433EE2 SetUnhandledExceptionFilter,	5_2_00433EE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07184C67 SetUnhandledExceptionFilter,	5_2_07184C67
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_07184AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_07184AD4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0718B5F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0718B5F2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_071850FD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_071850FD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_05292639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_05292639
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_052960E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_052960E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_05292B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_05292B1C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00434378
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0043A86D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00433D4F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_00433EE2 SetUnhandledExceptionFilter,	11_2_00433EE2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF4C67 SetUnhandledExceptionFilter,	11_2_04AF4C67
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF4AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_04AF4AD4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AFB5F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_04AFB5F2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 11_2_04AF50FD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_04AF50FD

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 7150000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 4AC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 4BC0000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_0041742B GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

5_2_0041742B

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 715166E	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 4AC166E	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 4BC166E	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7150000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 4AC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 4BC0000 value starts with: 4D5A	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7150000	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 4AC0000	Jump to behavior
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 4BC0000	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		5_2_0041100E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		11_2_0041100E

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_0041894A mouse_event,

5_2_0041894A

Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\arbpnwwkbdbggftjlfvxogreibczuy"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\arbpnwwkbdbggftjlfvxogreibczuy"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\dlgiophmpltlilpvupprzllvriuivjxce"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\user\AppData\Local\Temp\nnlao"	Jump to behavior

Source: colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJC965\u
Source: colorcpl.exe, 00000005.00000002.4145546656.000000000304E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managere
Source: colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJC965\2
Source: colorcpl.exe, 00000005.00000002.4145546656.000000000304E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJC965\Q
Source: colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJC965\
Source: colorcpl.exe, 00000005.00000002.4143664674.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager965\
Source: colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJC965\\|
Source: colorcpl.exe, 00000005.00000002.4145546656.000000000304E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern
Source: colorcpl.exe, 00000005.00000002.4145546656.000000000304E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerk
Source: colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJC965\X
Source: colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJC965\D
Source: colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJC965\c
Source: colorcpl.exe, 00000005.00000002.4145914838.0000000003064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJC965\
Source: colorcpl.exe, 00000005.00000002.4145546656.000000000304E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert
Source: colorcpl.exe, 00000005.00000002.4145546656.000000000304E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerR
Source: colorcpl.exe, 00000005.00000002.4145546656.000000000304E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager_
Source: colorcpl.exe, 00000005.00000002.4145546656.000000000302F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: logs.dat.5.dr	Binary or memory string: [Program Manager]

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00434015 cpuid

5_2_00434015

Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02975510
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: GetLocaleInfoA,	0_2_0297A130
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: GetLocaleInfoA,	0_2_0297A17C
Source: C:\Users\user\Desktop\IRSTaxRefund.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_0297561C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_0045107A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	5_2_004512CA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	5_2_004472BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_004513F3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	5_2_004514FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_004515C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	5_2_0040E751
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	5_2_004477A7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_00450C8F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	5_2_00450F52
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	5_2_00450F07
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	5_2_00450FED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	5_2_0719852C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_071A234C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	5_2_071A227F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_071A2178
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	5_2_071A204F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	5_2_07198043
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	5_2_0715F4D6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	5_2_071A1D72
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_071A1DFF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	5_2_071A1C8C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	5_2_071A1CD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_071A1A14
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_02AB5510
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: GetLocaleInfoA,	10_2_02ABA17C
Source: C:\Users\Public\Libraries\Tmohrqmb.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_02AB561B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_0045107A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	11_2_004512CA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	11_2_004472BE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_004513F3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	11_2_004514FA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_004515C7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	11_2_0040E751
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	11_2_004477A7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_00450C8F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	11_2_00450F52
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	11_2_00450F07
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	11_2_00450FED
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	11_2_04B0852C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	11_2_04B08043
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	11_2_04B1204F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_04B12178
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	11_2_04B1227F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_04B1234C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	11_2_04ACF4D6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	11_2_04B11C8C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	11_2_04B11CD7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_04B11DFF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	11_2_04B11D72
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_04B11A14

Source: C:\Windows\SysWOW64\colorcpl.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Code function: 0_2_02978BB0 GetLocalTime,

0_2_02978BB0

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_0041A9AD GetComputerNameExW,GetUserNameW,

5_2_0041A9AD

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_00448267 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

5_2_00448267

Source: C:\Users\user\Desktop\IRSTaxRefund.exe

Code function: 0_2_0297B0B0 GetVersionExA,

0_2_0297B0B0

Source: C:\Windows\SysWOW64\colorcpl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.1894324058.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4143664674.0000000003011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1811250276.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1894262247.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\iuytrtyu\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		5_2_0040B21B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		11_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	5_2_0040B335
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	5_2_0040B335
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	11_2_0040B335
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \key3.db	11_2_0040B335

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\colorcpl.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\colorcpl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: ESMTPPassword	8_2_004033F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	8_2_00402DB3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	8_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7588, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7150000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SndVol.exe.4bc1985.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.colorcpl.exe.7151985.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SndVol.exe.4ac1985.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.1894324058.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812493335.0000000004AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1896020251.0000000004BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4146895773.0000000007150000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1811552220.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4143664674.0000000003011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1894763646.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1811250276.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1894262247.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4140858643.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\iuytrtyu\logs.dat, type: DROPPED

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe		5_2_00405042
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: cmd.exe		11_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	21 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Valid Accounts	1 Bypass User Account Control	2 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	1 Valid Accounts	1 Timestomp	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	11 Access Token Manipulation	1 DLL Side-Loading	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Windows Service	1 Bypass User Account Control	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	622 Process Injection	1 File Deletion	Cached Domain Credentials	231 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	121 Masquerading	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	622 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IRSTaxRefund.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
IRSTaxRefund.exe